Analysis
-
max time kernel
4294197s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 13:44
Behavioral task
behavioral1
Sample
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe
-
Size
57KB
-
MD5
eca3eeab4055a5223286043c9fa26d64
-
SHA1
f78161a91429a3b384438380a130075cd792c716
-
SHA256
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca
-
SHA512
dea1663c1eb15bda2eeeac71fcd7b541f3dbbaf2171b5b22d7803bf062a5f661ca4d473391deb28311df214468f33d48b91e0296cee5774e7614fd2ae97dede9
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
magnifyprep.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat magnifyprep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
magnifyprep.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4} magnifyprep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\WpadNetworkName = "Network 3" magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 magnifyprep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4\WpadDecisionReason = "1" magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4\WpadDecisionTime = 50333e1d6131d801 magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4 magnifyprep.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\de-1a-6b-33-1b-e4 magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\WpadDecisionTime = 90ad0be16031d801 magnifyprep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\WpadDecision = "0" magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4\WpadDecisionTime = 90ad0be16031d801 magnifyprep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4\WpadDetectedUrl magnifyprep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" magnifyprep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" magnifyprep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\WpadDecisionReason = "1" magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 magnifyprep.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{49C443A4-2D7F-4DCE-AA34-35C307C0CEC4}\WpadDecisionTime = 50333e1d6131d801 magnifyprep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix magnifyprep.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" magnifyprep.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-1a-6b-33-1b-e4\WpadDecision = "0" magnifyprep.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
magnifyprep.exepid process 472 magnifyprep.exe 472 magnifyprep.exe 472 magnifyprep.exe 472 magnifyprep.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exepid process 748 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exemagnifyprep.exedescription pid process target process PID 304 wrote to memory of 748 304 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 304 wrote to memory of 748 304 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 304 wrote to memory of 748 304 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 304 wrote to memory of 748 304 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 332 wrote to memory of 472 332 magnifyprep.exe magnifyprep.exe PID 332 wrote to memory of 472 332 magnifyprep.exe magnifyprep.exe PID 332 wrote to memory of 472 332 magnifyprep.exe magnifyprep.exe PID 332 wrote to memory of 472 332 magnifyprep.exe magnifyprep.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe"C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe--d3efd8a62⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\magnifyprep.exe"C:\Windows\SysWOW64\magnifyprep.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\magnifyprep.exe--13dbe8c42⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB