Analysis
-
max time kernel
4294196s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
06-03-2022 14:47
Behavioral task
behavioral1
Sample
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe
-
Size
88KB
-
MD5
5594fd3b929e2e30d3d70e4c0063085b
-
SHA1
90dc29422eef76512b554017c015ddfabd400784
-
SHA256
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683
-
SHA512
48f152407cfeb71c86def1ed6ae84c1703649cfa5e2d2dfcf501bba17acfdfbc59f62c53a10d6e83bf17916a62115f658d0bd0f9ace68b1b2370cdd32c0df7dd
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
editionshlp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat editionshlp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
editionshlp.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadNetworkName = "Network 3" editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1 editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionTime = 40608ef56b31d801 editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 editionshlp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 editionshlp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecision = "0" editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionTime = 80c46c186c31d801 editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionTime = 80c46c186c31d801 editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\82-6d-3c-cc-f4-b1 editionshlp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecision = "0" editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings editionshlp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" editionshlp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionTime = 40608ef56b31d801 editionshlp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDetectedUrl editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad editionshlp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D} editionshlp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5A164389-A707-4E71-9D14-319BCC4C401D}\WpadDecisionReason = "1" editionshlp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-6d-3c-cc-f4-b1\WpadDecisionReason = "1" editionshlp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" editionshlp.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 editionshlp.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
editionshlp.exepid process 1164 editionshlp.exe 1164 editionshlp.exe 1164 editionshlp.exe 1164 editionshlp.exe 1164 editionshlp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exepid process 1600 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exeeditionshlp.exedescription pid process target process PID 1616 wrote to memory of 1600 1616 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 1616 wrote to memory of 1600 1616 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 1616 wrote to memory of 1600 1616 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 1616 wrote to memory of 1600 1616 dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe PID 1160 wrote to memory of 1164 1160 editionshlp.exe editionshlp.exe PID 1160 wrote to memory of 1164 1160 editionshlp.exe editionshlp.exe PID 1160 wrote to memory of 1164 1160 editionshlp.exe editionshlp.exe PID 1160 wrote to memory of 1164 1160 editionshlp.exe editionshlp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe"C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dae5bbe0ee7af55427e1e9dced24061dbcb701a53aff04217bdfa8cc260d6683.exe--2e491d452⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\editionshlp.exe"C:\Windows\SysWOW64\editionshlp.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\editionshlp.exe--1d84b00d2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1600-54-0x0000000076731000-0x0000000076733000-memory.dmpFilesize
8KB