Analysis
-
max time kernel
141s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-05-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe
-
Size
518KB
-
MD5
8647fb1f37889c92cb70b6e82dac1cdd
-
SHA1
255ac2d361f3264c477ce1a476b864af45f5de51
-
SHA256
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290
-
SHA512
e8a24a94dcf7a4e09e35125d4cebfbe329c87dbc668dea802812b37c98733b517fe52331a9729acfdae0829dae067631c31fa94a65073ca90f9dfae526d8a0c7
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
attribiwamreg.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat attribiwamreg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 18 IoCs
Processes:
attribiwamreg.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections attribiwamreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" attribiwamreg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 attribiwamreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-c2-5c-ed-f9-91\WpadDecisionReason = "1" attribiwamreg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635} attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings attribiwamreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635}\WpadDecisionReason = "1" attribiwamreg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635}\WpadNetworkName = "Network 2" attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-c2-5c-ed-f9-91 attribiwamreg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-c2-5c-ed-f9-91\WpadDecisionTime = 8070f5896672d801 attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings attribiwamreg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ab000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 attribiwamreg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635}\WpadDecisionTime = 8070f5896672d801 attribiwamreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635}\WpadDecision = "0" attribiwamreg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8B45D76-266A-4413-8BAE-9A69A1EE9635}\02-c2-5c-ed-f9-91 attribiwamreg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-c2-5c-ed-f9-91\WpadDecision = "0" attribiwamreg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exeattribiwamreg.exeattribiwamreg.exepid Process 336 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 1660 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 948 attribiwamreg.exe 1164 attribiwamreg.exe 1164 attribiwamreg.exe 1164 attribiwamreg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exepid Process 1660 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exeattribiwamreg.exedescription pid Process procid_target PID 336 wrote to memory of 1660 336 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 28 PID 336 wrote to memory of 1660 336 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 28 PID 336 wrote to memory of 1660 336 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 28 PID 336 wrote to memory of 1660 336 02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe 28 PID 948 wrote to memory of 1164 948 attribiwamreg.exe 30 PID 948 wrote to memory of 1164 948 attribiwamreg.exe 30 PID 948 wrote to memory of 1164 948 attribiwamreg.exe 30 PID 948 wrote to memory of 1164 948 attribiwamreg.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe"C:\Users\Admin\AppData\Local\Temp\02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe"C:\Users\Admin\AppData\Local\Temp\02b969c4d126d1b50d6e7092282064d3c3127a6c4b70b5420fe5ae8033b4a290.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1660
-
-
C:\Windows\SysWOW64\attribiwamreg.exe"C:\Windows\SysWOW64\attribiwamreg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\attribiwamreg.exe"C:\Windows\SysWOW64\attribiwamreg.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1164
-