Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 22:33
Behavioral task
behavioral1
Sample
ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
Resource
win7-20220718-en
windows7-x64
8 signatures
150 seconds
General
-
Target
ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe
-
Size
61KB
-
MD5
b6b3b7ab04cab7927e043a3a1fe795a6
-
SHA1
c7e23a585698078df1dcc734a78044b04541495c
-
SHA256
ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c
-
SHA512
7d851bf0c9503b64525e5294abda713655169cec57cadc282275c1851cdb253d0fc7968551fb2c0c42f9d70efeb3960ff225328a805f94a83045fe0ed641483f
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
routerfoot.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies routerfoot.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 routerfoot.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 routerfoot.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE routerfoot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
routerfoot.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" routerfoot.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix routerfoot.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
routerfoot.exepid process 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe 4752 routerfoot.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exepid process 4508 ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exerouterfoot.exedescription pid process target process PID 4560 wrote to memory of 4508 4560 ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe PID 4560 wrote to memory of 4508 4560 ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe PID 4560 wrote to memory of 4508 4560 ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe PID 4828 wrote to memory of 4752 4828 routerfoot.exe routerfoot.exe PID 4828 wrote to memory of 4752 4828 routerfoot.exe routerfoot.exe PID 4828 wrote to memory of 4752 4828 routerfoot.exe routerfoot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe"C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\ae90a26f50161558cba0cc3a4e8e5d58b5cbb25cd73b2e433ec8117206981d9c.exe--addfee7b2⤵
- Suspicious behavior: RenamesItself
PID:4508
-
C:\Windows\SysWOW64\routerfoot.exe"C:\Windows\SysWOW64\routerfoot.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\routerfoot.exe--1d6be2692⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4752