Analysis
-
max time kernel
138s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-02-2022 00:19
Behavioral task
behavioral1
Sample
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe
-
Size
59KB
-
MD5
ef3d2ab168550010abb419edb9d1ab93
-
SHA1
c552e7c0fd01dde456d5bc8c9d5c233af5793ba9
-
SHA256
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741
-
SHA512
804d92f499f56b298b918b973e2c42d859b7e5db7b35b9a5e7fd63595eed3e254cd3a1748a11844b227aa9393b6d61a1ccd8a98d14056a03a79d3419f587da4d
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
ttlsnetsh.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ttlsnetsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
ttlsnetsh.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ttlsnetsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395}\WpadDecision = "0" ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395}\12-f3-9b-92-b4-4a ttlsnetsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-f3-9b-92-b4-4a\WpadDecisionReason = "1" ttlsnetsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-f3-9b-92-b4-4a\WpadDecision = "0" ttlsnetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395}\WpadNetworkName = "Network 2" ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ttlsnetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ttlsnetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ttlsnetsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ttlsnetsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395}\WpadDecisionReason = "1" ttlsnetsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ttlsnetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395} ttlsnetsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DA3CF4AA-1C09-4456-9C5F-3A967AE1F395}\WpadDecisionTime = c0fe0a955328d801 ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-f3-9b-92-b4-4a ttlsnetsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ttlsnetsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ttlsnetsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ttlsnetsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-f3-9b-92-b4-4a\WpadDecisionTime = c0fe0a955328d801 ttlsnetsh.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ttlsnetsh.exepid process 576 ttlsnetsh.exe 576 ttlsnetsh.exe 576 ttlsnetsh.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exepid process 780 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exettlsnetsh.exedescription pid process target process PID 792 wrote to memory of 780 792 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 792 wrote to memory of 780 792 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 792 wrote to memory of 780 792 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 792 wrote to memory of 780 792 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe 0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe PID 1472 wrote to memory of 576 1472 ttlsnetsh.exe ttlsnetsh.exe PID 1472 wrote to memory of 576 1472 ttlsnetsh.exe ttlsnetsh.exe PID 1472 wrote to memory of 576 1472 ttlsnetsh.exe ttlsnetsh.exe PID 1472 wrote to memory of 576 1472 ttlsnetsh.exe ttlsnetsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe"C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0371d4f04c68e560699e6a589492bcbcee67c5188973ed102dbc791059f6f741.exe--593052142⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\ttlsnetsh.exe"C:\Windows\SysWOW64\ttlsnetsh.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ttlsnetsh.exe--e12c5c612⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-55-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB