Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe
-
Size
115KB
-
MD5
5ed0c11008735405eb7da211006c0ce4
-
SHA1
60f9d5879c5fbb25f3a646de35476ad10e065963
-
SHA256
5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597
-
SHA512
9094b7ec634fbb7cd659d54f065feb9b1ccf0c25de808ff068550d639ec3f58dc66f16cfcaf4fba829fd074c17a02b1af5c11db811229f59cb1deca9e8c0fc84
-
SSDEEP
1536:VKseKSZFwjA2er/0O8/oPKBJAgHFYpExXLE+wEGwqoiClW71r:XXSZ6LeN8/oPKBBHFYWxXo4q0o7V
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exedescription ioc process File created C:\Users\Admin\Pictures\AssertSelect.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe File created C:\Users\Admin\Pictures\ConnectPublish.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe File created C:\Users\Admin\Pictures\HideRestore.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe File created C:\Users\Admin\Pictures\MergeResolve.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\" HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exepid process 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exeWMIC.exedescription pid process Token: SeDebugPrivilege 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe Token: SeIncreaseQuotaPrivilege 1572 WMIC.exe Token: SeSecurityPrivilege 1572 WMIC.exe Token: SeTakeOwnershipPrivilege 1572 WMIC.exe Token: SeLoadDriverPrivilege 1572 WMIC.exe Token: SeSystemProfilePrivilege 1572 WMIC.exe Token: SeSystemtimePrivilege 1572 WMIC.exe Token: SeProfSingleProcessPrivilege 1572 WMIC.exe Token: SeIncBasePriorityPrivilege 1572 WMIC.exe Token: SeCreatePagefilePrivilege 1572 WMIC.exe Token: SeBackupPrivilege 1572 WMIC.exe Token: SeRestorePrivilege 1572 WMIC.exe Token: SeShutdownPrivilege 1572 WMIC.exe Token: SeDebugPrivilege 1572 WMIC.exe Token: SeSystemEnvironmentPrivilege 1572 WMIC.exe Token: SeRemoteShutdownPrivilege 1572 WMIC.exe Token: SeUndockPrivilege 1572 WMIC.exe Token: SeManageVolumePrivilege 1572 WMIC.exe Token: 33 1572 WMIC.exe Token: 34 1572 WMIC.exe Token: 35 1572 WMIC.exe Token: SeIncreaseQuotaPrivilege 1572 WMIC.exe Token: SeSecurityPrivilege 1572 WMIC.exe Token: SeTakeOwnershipPrivilege 1572 WMIC.exe Token: SeLoadDriverPrivilege 1572 WMIC.exe Token: SeSystemProfilePrivilege 1572 WMIC.exe Token: SeSystemtimePrivilege 1572 WMIC.exe Token: SeProfSingleProcessPrivilege 1572 WMIC.exe Token: SeIncBasePriorityPrivilege 1572 WMIC.exe Token: SeCreatePagefilePrivilege 1572 WMIC.exe Token: SeBackupPrivilege 1572 WMIC.exe Token: SeRestorePrivilege 1572 WMIC.exe Token: SeShutdownPrivilege 1572 WMIC.exe Token: SeDebugPrivilege 1572 WMIC.exe Token: SeSystemEnvironmentPrivilege 1572 WMIC.exe Token: SeRemoteShutdownPrivilege 1572 WMIC.exe Token: SeUndockPrivilege 1572 WMIC.exe Token: SeManageVolumePrivilege 1572 WMIC.exe Token: 33 1572 WMIC.exe Token: 34 1572 WMIC.exe Token: 35 1572 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.execmd.exedescription pid process target process PID 748 wrote to memory of 1708 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe cmd.exe PID 748 wrote to memory of 1708 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe cmd.exe PID 748 wrote to memory of 1708 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe cmd.exe PID 748 wrote to memory of 1708 748 HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe cmd.exe PID 1708 wrote to memory of 1572 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1572 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1572 1708 cmd.exe WMIC.exe PID 1708 wrote to memory of 1572 1708 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-5221cbfcd9be738e23a42dd9cda8aa1a9b085c05bf3e0f43b593e2f1e6909597.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken