Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 06:11
Static task
static1
Behavioral task
behavioral1
Sample
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe
-
Size
172KB
-
MD5
4d6ece858531b5b9040841db3419fd1c
-
SHA1
1ff0bb7169b26962457ed996c5a7aaf3f69aeee0
-
SHA256
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728
-
SHA512
5f4b3abd23f4572b842abd0c14ebb7fb7cdc2f5d288991fb7ea52ff415193a766567646d9b34529b16bbd5d4adc4d1f0b6847e9d8001a798ae1bc0e1c047075e
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
tsdtaupe.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat tsdtaupe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 18 IoCs
Processes:
tsdtaupe.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tsdtaupe.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43}\WpadDecision = "0" tsdtaupe.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43}\WpadNetworkName = "Network 3" tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-3d-2f-73-16-36 tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad tsdtaupe.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-3d-2f-73-16-36\WpadDecision = "0" tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections tsdtaupe.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-3d-2f-73-16-36\WpadDecisionReason = "1" tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43}\d2-3d-2f-73-16-36 tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings tsdtaupe.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" tsdtaupe.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tsdtaupe.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0067000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tsdtaupe.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43} tsdtaupe.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43}\WpadDecisionReason = "1" tsdtaupe.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D6029F8-E96C-44DF-8D85-CFA520C9AF43}\WpadDecisionTime = c0e61d06d292d801 tsdtaupe.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-3d-2f-73-16-36\WpadDecisionTime = c0e61d06d292d801 tsdtaupe.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exetsdtaupe.exetsdtaupe.exepid Process 1400 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 556 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 1928 tsdtaupe.exe 1800 tsdtaupe.exe 1800 tsdtaupe.exe 1800 tsdtaupe.exe 1800 tsdtaupe.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exepid Process 556 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exetsdtaupe.exedescription pid Process procid_target PID 1400 wrote to memory of 556 1400 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 27 PID 1400 wrote to memory of 556 1400 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 27 PID 1400 wrote to memory of 556 1400 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 27 PID 1400 wrote to memory of 556 1400 414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe 27 PID 1928 wrote to memory of 1800 1928 tsdtaupe.exe 29 PID 1928 wrote to memory of 1800 1928 tsdtaupe.exe 29 PID 1928 wrote to memory of 1800 1928 tsdtaupe.exe 29 PID 1928 wrote to memory of 1800 1928 tsdtaupe.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe"C:\Users\Admin\AppData\Local\Temp\414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe"C:\Users\Admin\AppData\Local\Temp\414bb592b0111434f9c95e6e396af03803bfc38a5d55fda282142b7186724728.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:556
-
-
C:\Windows\SysWOW64\tsdtaupe.exe"C:\Windows\SysWOW64\tsdtaupe.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\tsdtaupe.exe"C:\Windows\SysWOW64\tsdtaupe.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1800
-