Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-06-2022 22:05
Static task
static1
Behavioral task
behavioral1
Sample
2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe
Resource
win10v2004-20220414-en
General
-
Target
2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe
-
Size
674KB
-
MD5
83177ea87fa257f3b6e27fb04b369f67
-
SHA1
79bb15633abe7847ef777be757be74a47d35e616
-
SHA256
2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a
-
SHA512
afbf1431f638cc91f33c7369f642f63354722ecfa4f86e9f18cf205187da0f6067033f05b28e55d3a2b1a7cf55bcce16c92da1d4a1d70df63e3fc5ad689ee528
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1808 set thread context of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 944 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1808 wrote to memory of 944 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 27 PID 1808 wrote to memory of 944 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 27 PID 1808 wrote to memory of 944 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 27 PID 1808 wrote to memory of 944 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 27 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 1808 wrote to memory of 648 1808 2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe 29 PID 648 wrote to memory of 1996 648 RegAsm.exe 31 PID 648 wrote to memory of 1996 648 RegAsm.exe 31 PID 648 wrote to memory of 1996 648 RegAsm.exe 31 PID 648 wrote to memory of 1996 648 RegAsm.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe"C:\Users\Admin\AppData\Local\Temp\2caa904fe2166ae690b64e54b6388b8e617f3af8ef0e09c82ea4ff5421292b0a.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\dhetpoi" /XML "C:\Users\Admin\AppData\Local\Temp\z60"2⤵
- Creates scheduled task(s)
PID:944
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8603⤵PID:1996
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5008d34ca449f4970bad4cff695e2da25
SHA14ab3813a56c35456338f3a005d93bbe4048fe2cb
SHA256efa8ff8e26176ae4fa2a46b92bddefd83746059e61520ad229705d03eedf47f1
SHA512a0a72322f456c86f7ab56400bef58fa0a32133f2a504ceeec4d10e2abe4c0ce2c21c9f4fdc07ab9dba7685bf5f8756a84f7e2b0b646ea951deab0724a7578f0e