Analysis
-
max time kernel
126s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 13:44
Behavioral task
behavioral1
Sample
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe
-
Size
57KB
-
MD5
eca3eeab4055a5223286043c9fa26d64
-
SHA1
f78161a91429a3b384438380a130075cd792c716
-
SHA256
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca
-
SHA512
dea1663c1eb15bda2eeeac71fcd7b541f3dbbaf2171b5b22d7803bf062a5f661ca4d473391deb28311df214468f33d48b91e0296cee5774e7614fd2ae97dede9
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
themesproc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies themesproc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 themesproc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 themesproc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE themesproc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
themesproc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix themesproc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" themesproc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" themesproc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
themesproc.exepid process 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe 3796 themesproc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exepid process 432 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exethemesproc.exedescription pid process target process PID 3136 wrote to memory of 432 3136 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 3136 wrote to memory of 432 3136 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 3136 wrote to memory of 432 3136 f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe PID 3936 wrote to memory of 3796 3936 themesproc.exe themesproc.exe PID 3936 wrote to memory of 3796 3936 themesproc.exe themesproc.exe PID 3936 wrote to memory of 3796 3936 themesproc.exe themesproc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe"C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f200fbf710facc82e730cc85d40539191f7623ec2a48056ae2759a8a28089aca.exe--d3efd8a62⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\themesproc.exe"C:\Windows\SysWOW64\themesproc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\themesproc.exe--fc65bf522⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses