Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 22:34
Behavioral task
behavioral1
Sample
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
Resource
win7-20220718-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe
-
Size
59KB
-
MD5
a2c47f6ffe53125d0dc415d5850ca2b8
-
SHA1
2fd768534db11f92fbd55b085652bf39a08a0bea
-
SHA256
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002
-
SHA512
bbafc1c36217d1b7d52d8954118a4425752f87efd7d0cc4067c4338d86f19d54ab671ecdc42cec93d82d5612754e8797121e2f05b5bffe9899c7cf27ab9deba9
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
aposound.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat aposound.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
aposound.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings aposound.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecision = "0" aposound.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\1a-87-9c-f9-89-17 aposound.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aposound.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" aposound.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aposound.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17 aposound.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecisionReason = "1" aposound.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix aposound.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" aposound.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" aposound.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 aposound.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadNetworkName = "Network 3" aposound.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecision = "0" aposound.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections aposound.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings aposound.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad aposound.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE} aposound.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecisionReason = "1" aposound.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EEF80D3-138B-418F-AD92-0CB3E092E7FE}\WpadDecisionTime = 80351ca293a0d801 aposound.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-87-9c-f9-89-17\WpadDecisionTime = 80351ca293a0d801 aposound.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
aposound.exepid process 1944 aposound.exe 1944 aposound.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exepid process 1144 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exeaposound.exedescription pid process target process PID 768 wrote to memory of 1144 768 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 768 wrote to memory of 1144 768 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 768 wrote to memory of 1144 768 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 768 wrote to memory of 1144 768 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe 9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe PID 1756 wrote to memory of 1944 1756 aposound.exe aposound.exe PID 1756 wrote to memory of 1944 1756 aposound.exe aposound.exe PID 1756 wrote to memory of 1944 1756 aposound.exe aposound.exe PID 1756 wrote to memory of 1944 1756 aposound.exe aposound.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe"C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9c33560693e80b82e246d75609e4e35c8d6d0f804df7a75a9e99fecdacc44002.exe--9f5ded2d2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\aposound.exe"C:\Windows\SysWOW64\aposound.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\aposound.exe--9f1fe0e12⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses