Analysis
-
max time kernel
107s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe
Resource
win10v2004-20220901-en
General
-
Target
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe
-
Size
63KB
-
MD5
5ac0232ae6cd6380c135ebcb607de9e3
-
SHA1
44e7ee71128c2f1948490016d50175ffb45acb35
-
SHA256
158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7
-
SHA512
9b7002830d70c74176afe292673fff18856843c79ea1eb5278f19a16301c8e2e542f6b772730a7db0a0405910c351baeb85fc157fc737fba48f96bebcc7aaa5b
-
SSDEEP
768:cMm3L4o3g/vXNbINb0ZX+pKIzLDwUzc80gmq3oP/oDI:cMm0Ec/NRur/0O8/oM
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exedescription ioc process File created C:\Users\Admin\Pictures\ExitUnprotect.png.givemenitro HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File created C:\Users\Admin\Pictures\OptimizeAssert.tif.givemenitro HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File created C:\Users\Admin\Pictures\ResetWrite.crw.givemenitro HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File created C:\Users\Admin\Pictures\RestartUndo.raw.givemenitro HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe\"" HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api.ipify.org 23 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exepid process 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe Token: SeIncreaseQuotaPrivilege 5112 WMIC.exe Token: SeSecurityPrivilege 5112 WMIC.exe Token: SeTakeOwnershipPrivilege 5112 WMIC.exe Token: SeLoadDriverPrivilege 5112 WMIC.exe Token: SeSystemProfilePrivilege 5112 WMIC.exe Token: SeSystemtimePrivilege 5112 WMIC.exe Token: SeProfSingleProcessPrivilege 5112 WMIC.exe Token: SeIncBasePriorityPrivilege 5112 WMIC.exe Token: SeCreatePagefilePrivilege 5112 WMIC.exe Token: SeBackupPrivilege 5112 WMIC.exe Token: SeRestorePrivilege 5112 WMIC.exe Token: SeShutdownPrivilege 5112 WMIC.exe Token: SeDebugPrivilege 5112 WMIC.exe Token: SeSystemEnvironmentPrivilege 5112 WMIC.exe Token: SeRemoteShutdownPrivilege 5112 WMIC.exe Token: SeUndockPrivilege 5112 WMIC.exe Token: SeManageVolumePrivilege 5112 WMIC.exe Token: 33 5112 WMIC.exe Token: 34 5112 WMIC.exe Token: 35 5112 WMIC.exe Token: 36 5112 WMIC.exe Token: SeIncreaseQuotaPrivilege 5112 WMIC.exe Token: SeSecurityPrivilege 5112 WMIC.exe Token: SeTakeOwnershipPrivilege 5112 WMIC.exe Token: SeLoadDriverPrivilege 5112 WMIC.exe Token: SeSystemProfilePrivilege 5112 WMIC.exe Token: SeSystemtimePrivilege 5112 WMIC.exe Token: SeProfSingleProcessPrivilege 5112 WMIC.exe Token: SeIncBasePriorityPrivilege 5112 WMIC.exe Token: SeCreatePagefilePrivilege 5112 WMIC.exe Token: SeBackupPrivilege 5112 WMIC.exe Token: SeRestorePrivilege 5112 WMIC.exe Token: SeShutdownPrivilege 5112 WMIC.exe Token: SeDebugPrivilege 5112 WMIC.exe Token: SeSystemEnvironmentPrivilege 5112 WMIC.exe Token: SeRemoteShutdownPrivilege 5112 WMIC.exe Token: SeUndockPrivilege 5112 WMIC.exe Token: SeManageVolumePrivilege 5112 WMIC.exe Token: 33 5112 WMIC.exe Token: 34 5112 WMIC.exe Token: 35 5112 WMIC.exe Token: 36 5112 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.execmd.exedescription pid process target process PID 3444 wrote to memory of 4288 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe cmd.exe PID 3444 wrote to memory of 4288 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe cmd.exe PID 3444 wrote to memory of 4288 3444 HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe cmd.exe PID 4288 wrote to memory of 5112 4288 cmd.exe WMIC.exe PID 4288 wrote to memory of 5112 4288 cmd.exe WMIC.exe PID 4288 wrote to memory of 5112 4288 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Gen.gen-158ca8d131402f77b2efadfbfe70e1ee44764ce4551ed15f43de064d98eb16c7.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3444-132-0x0000000000960000-0x0000000000976000-memory.dmpFilesize
88KB
-
memory/3444-133-0x00000000057D0000-0x0000000005D74000-memory.dmpFilesize
5.6MB
-
memory/3444-134-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/3444-137-0x0000000001100000-0x000000000110A000-memory.dmpFilesize
40KB
-
memory/4288-135-0x0000000000000000-mapping.dmp
-
memory/5112-136-0x0000000000000000-mapping.dmp