Analysis
-
max time kernel
155s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 20:33
Behavioral task
behavioral1
Sample
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe
-
Size
58KB
-
MD5
96a8df3f39d930dd11ea0453c5d81497
-
SHA1
615ed7b29a61503c2d8b76615769279ff93dcdbf
-
SHA256
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069
-
SHA512
9d00921c6a3cd9fd31025ec33a6634602041d7ab808ffe98e695a9a16a13613e1b5a40aed2a8575e3ee9098c59310487a741d2e6c85f463005948984343f6929
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
routerfoot.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat routerfoot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
routerfoot.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings routerfoot.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\WpadDecisionTime = c089b4232c28d801 routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\WpadDecisionTime = a0cdc1012c28d801 routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\WpadNetworkName = "Network 3" routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\a2-6f-45-33-9e-a7 routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7\WpadDecisionTime = a0cdc1012c28d801 routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1} routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7\WpadDetectedUrl routerfoot.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7\WpadDecision = "0" routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0176000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0176000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routerfoot.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\WpadDecisionReason = "1" routerfoot.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7\WpadDecisionReason = "1" routerfoot.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7\WpadDecisionTime = c089b4232c28d801 routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" routerfoot.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7C094D8-6002-4A6C-9CD2-20764E110FA1}\WpadDecision = "0" routerfoot.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-6f-45-33-9e-a7 routerfoot.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
routerfoot.exepid process 676 routerfoot.exe 676 routerfoot.exe 676 routerfoot.exe 676 routerfoot.exe 676 routerfoot.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exepid process 1684 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exerouterfoot.exedescription pid process target process PID 964 wrote to memory of 1684 964 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 964 wrote to memory of 1684 964 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 964 wrote to memory of 1684 964 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 964 wrote to memory of 1684 964 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe 0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe PID 1120 wrote to memory of 676 1120 routerfoot.exe routerfoot.exe PID 1120 wrote to memory of 676 1120 routerfoot.exe routerfoot.exe PID 1120 wrote to memory of 676 1120 routerfoot.exe routerfoot.exe PID 1120 wrote to memory of 676 1120 routerfoot.exe routerfoot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe"C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c1e0e94c1f0563902772733765d822c28a4c92bee60602609dd8f0cea4ee069.exe--5b933e962⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\routerfoot.exe"C:\Windows\SysWOW64\routerfoot.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\routerfoot.exe--1d6be2692⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB