Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 19:17
Behavioral task
behavioral1
Sample
82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe
-
Size
74KB
-
MD5
941082c4fd2be8cde0d3ce31ffbb061d
-
SHA1
5e202467d3194365c0d7288d32c83a11139f18c1
-
SHA256
82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed
-
SHA512
29c794ffa01c15a4bf2f392430f1146df13e1208eace8e20ffc8005fbe8807f2d47a526a5fe690cf10c1ab349b05f07d4019295b440baa4b143428418da4582c
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
malertmalert.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 malertmalert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE malertmalert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies malertmalert.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 malertmalert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
malertmalert.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix malertmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" malertmalert.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" malertmalert.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
malertmalert.exepid process 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe 2816 malertmalert.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exepid process 1712 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exemalertmalert.exedescription pid process target process PID 1488 wrote to memory of 1712 1488 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe PID 1488 wrote to memory of 1712 1488 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe PID 1488 wrote to memory of 1712 1488 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe 82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe PID 2712 wrote to memory of 2816 2712 malertmalert.exe malertmalert.exe PID 2712 wrote to memory of 2816 2712 malertmalert.exe malertmalert.exe PID 2712 wrote to memory of 2816 2712 malertmalert.exe malertmalert.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe"C:\Users\Admin\AppData\Local\Temp\82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\82e24a083f89928b77dcdd9b4f69536197709755b456bb5565a04cee7f3a6bed.exe--e61115fa2⤵
- Suspicious behavior: RenamesItself
PID:1712
-
C:\Windows\SysWOW64\malertmalert.exe"C:\Windows\SysWOW64\malertmalert.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\malertmalert.exe--1fabb3f02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2816