Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-02-2022 18:53
Behavioral task
behavioral1
Sample
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
Resource
win10v2004-en-20220113
General
-
Target
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
-
Size
202KB
-
MD5
beaf5e523e8e3e3fb9dc2a361cda0573
-
SHA1
b038caeed3466c07c5f473bfd6c5bd11e5afccf1
-
SHA256
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a
-
SHA512
f0692ff4b5b2278952806b183246a96077c893d2487c5023b56bbccfbd8d16f09dd9394aae8cc71d33ad8b3d9474f4e7825bcccc0f24029eaa753d131fc8a683
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
turnedadmin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 turnedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 turnedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE turnedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies turnedadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
turnedadmin.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix turnedadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" turnedadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" turnedadmin.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exeturnedadmin.exeturnedadmin.exepid process 4568 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 4568 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 4964 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 4964 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 3340 turnedadmin.exe 3340 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe 64 turnedadmin.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exepid process 4964 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exeturnedadmin.exedescription pid process target process PID 4568 wrote to memory of 4964 4568 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe PID 4568 wrote to memory of 4964 4568 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe PID 4568 wrote to memory of 4964 4568 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe PID 3340 wrote to memory of 64 3340 turnedadmin.exe turnedadmin.exe PID 3340 wrote to memory of 64 3340 turnedadmin.exe turnedadmin.exe PID 3340 wrote to memory of 64 3340 turnedadmin.exe turnedadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4964
-
C:\Windows\SysWOW64\turnedadmin.exe"C:\Windows\SysWOW64\turnedadmin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\turnedadmin.exe"C:\Windows\SysWOW64\turnedadmin.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:64
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-134-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4568-130-0x0000000002180000-0x0000000002192000-memory.dmpFilesize
72KB
-
memory/4568-131-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4964-132-0x0000000002040000-0x0000000002052000-memory.dmpFilesize
72KB
-
memory/4964-133-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB