Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 03:36
Behavioral task
behavioral1
Sample
6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
Resource
win7-20220718-en
windows7-x64
9 signatures
150 seconds
General
-
Target
6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe
-
Size
65KB
-
MD5
91e8195bd71c046a45f994b786e257a7
-
SHA1
6b9f8e04de0a349a65773c19c15a727eaa5b5244
-
SHA256
6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905
-
SHA512
98ea3dad053159b2a01de9724a55bfa58b5d844a9e8e1484e7eaa492a13c05ebf6824f184c988b3a52180a912d34685a418ec7a05efa81739c7941d63c677cb1
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
grouppublish.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 grouppublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 grouppublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE grouppublish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies grouppublish.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
grouppublish.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" grouppublish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" grouppublish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix grouppublish.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
grouppublish.exepid process 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe 4752 grouppublish.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exepid process 4396 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exegrouppublish.exedescription pid process target process PID 2264 wrote to memory of 4396 2264 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe PID 2264 wrote to memory of 4396 2264 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe PID 2264 wrote to memory of 4396 2264 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe 6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe PID 4736 wrote to memory of 4752 4736 grouppublish.exe grouppublish.exe PID 4736 wrote to memory of 4752 4736 grouppublish.exe grouppublish.exe PID 4736 wrote to memory of 4752 4736 grouppublish.exe grouppublish.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe"C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6e8c0a21a723bf61fe5fd90005b4f38b61e8390341d34c51154d4861e4043905.exe--e56fb7562⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\grouppublish.exe"C:\Windows\SysWOW64\grouppublish.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grouppublish.exe--340ec7822⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses