Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 22:11
Static task
static1
Behavioral task
behavioral1
Sample
957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe
Resource
win7-20220718-en
windows7-x64
11 signatures
150 seconds
General
-
Target
957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe
-
Size
108KB
-
MD5
8f239042985d8da29817e59008e6a544
-
SHA1
f2b0ce7f8898a0b564fb1e5931263324564d04b7
-
SHA256
957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092
-
SHA512
a3f71811569e40bd165240a89d3f3f9b228dae59a0692629698110a6662fcc26a36cb47a5eb01fe651c54f6886214316d3a0c0d1ea30d7d5428c699ff84d92cb
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
commentribbon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 commentribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE commentribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies commentribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 commentribbon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
commentribbon.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix commentribbon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" commentribbon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" commentribbon.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
commentribbon.exepid process 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe 988 commentribbon.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exepid process 3136 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.execommentribbon.exedescription pid process target process PID 1516 wrote to memory of 3136 1516 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe PID 1516 wrote to memory of 3136 1516 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe PID 1516 wrote to memory of 3136 1516 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe 957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe PID 1488 wrote to memory of 988 1488 commentribbon.exe commentribbon.exe PID 1488 wrote to memory of 988 1488 commentribbon.exe commentribbon.exe PID 1488 wrote to memory of 988 1488 commentribbon.exe commentribbon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe"C:\Users\Admin\AppData\Local\Temp\957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\957c137897960cb39605fee65c5edbd57c0f94ed39a77ae219abef1deef0d092.exe--5ddbd1a82⤵
- Suspicious behavior: RenamesItself
PID:3136
-
C:\Windows\SysWOW64\commentribbon.exe"C:\Windows\SysWOW64\commentribbon.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\commentribbon.exe--acf8ce4b2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/988-135-0x0000000000000000-mapping.dmp
-
memory/988-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/988-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1516-130-0x0000000002160000-0x0000000002171000-memory.dmpFilesize
68KB
-
memory/1516-133-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1516-132-0x0000000002160000-0x0000000002171000-memory.dmpFilesize
68KB
-
memory/3136-131-0x0000000000000000-mapping.dmp
-
memory/3136-134-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3136-136-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB