Analysis
-
max time kernel
149s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-04-2022 17:12
Static task
static1
Behavioral task
behavioral1
Sample
333d29ffe93e71b521057698adf722e3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
333d29ffe93e71b521057698adf722e3.exe
Resource
win10v2004-20220414-en
General
-
Target
333d29ffe93e71b521057698adf722e3.exe
-
Size
1.9MB
-
MD5
333d29ffe93e71b521057698adf722e3
-
SHA1
61e2f011274d734599209767ab76cad136e8a94f
-
SHA256
5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab
-
SHA512
ce17e506574e6f118ea735d748e4b79b83dfb20d066b30c63f7942fe5c5172f3c4cb7dd3bfeaa16ccf77e48b81f5ba8d57ad512163d48261708a622baed9409d
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1516 cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
333d29ffe93e71b521057698adf722e3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Windows/Themes/TranscodedWallpaper.jpg" 333d29ffe93e71b521057698adf722e3.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 1740 NOTEPAD.EXE 1692 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 836 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 836 AUDIODG.EXE Token: 33 836 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 836 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
333d29ffe93e71b521057698adf722e3.execmd.exedescription pid process target process PID 916 wrote to memory of 1516 916 333d29ffe93e71b521057698adf722e3.exe cmd.exe PID 916 wrote to memory of 1516 916 333d29ffe93e71b521057698adf722e3.exe cmd.exe PID 916 wrote to memory of 1516 916 333d29ffe93e71b521057698adf722e3.exe cmd.exe PID 916 wrote to memory of 1516 916 333d29ffe93e71b521057698adf722e3.exe cmd.exe PID 1516 wrote to memory of 1636 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 1636 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 1636 1516 cmd.exe PING.EXE PID 1516 wrote to memory of 1636 1516 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\333d29ffe93e71b521057698adf722e3.exe"C:\Users\Admin\AppData\Local\Temp\333d29ffe93e71b521057698adf722e3.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\333d29ffe93e71b521057698adf722e3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1801⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\README.txtFilesize
956B
MD5fccd1cd655652d4d8822aeb7622fdd91
SHA1f2cd0749407a7326d9d32251b8f0d2773d3280dc
SHA256eceb0795627f1e574fe1951206981e80ba3377f2cb8acdf9055a93ea7d17216b
SHA51253e8f54159068e40f3f6778be57449fbb362683a0daf0c81d5f7c3f6da134c1e14f3077084d268abe4ac9805c8bcdeb85d808ebd2b6daa5b96ea1dfe729558df
-
C:\Users\Admin\Documents\README.txtFilesize
956B
MD5fccd1cd655652d4d8822aeb7622fdd91
SHA1f2cd0749407a7326d9d32251b8f0d2773d3280dc
SHA256eceb0795627f1e574fe1951206981e80ba3377f2cb8acdf9055a93ea7d17216b
SHA51253e8f54159068e40f3f6778be57449fbb362683a0daf0c81d5f7c3f6da134c1e14f3077084d268abe4ac9805c8bcdeb85d808ebd2b6daa5b96ea1dfe729558df
-
memory/1516-54-0x0000000000000000-mapping.dmp
-
memory/1636-55-0x0000000000000000-mapping.dmp
-
memory/1740-56-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB