Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe
-
Size
62KB
-
MD5
093fdf024696c4bd632323169c51f487
-
SHA1
7a79285f8ea5e3b6cef88fc61394c305458b3dac
-
SHA256
6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3
-
SHA512
122a9e1dc6e6a774857372f7aa52c032cf3ff901eb93fc63ec8f15a95fa339c9fc654a4b5165a5d29f053d0eff889a07876d019d20a4cfa2ba2c374b6c96a545
-
SSDEEP
768:VDKsMqCXfVcW3fM9Zk5ANIU3LWLDwUzc80gmq3oP/oDj:9KsePM9Zk5APyr/0O8/oX
Malware Config
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exedescription ioc process File created C:\Users\Admin\Pictures\ExportRestart.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File opened for modification C:\Users\Admin\Pictures\ExportRestart.tiff HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\ExportStart.png.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\OptimizeOut.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\ResizeConfirm.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\ExportUnpublish.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\InitializeExit.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File opened for modification C:\Users\Admin\Pictures\InitializeExit.tiff HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\OpenRead.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File created C:\Users\Admin\Pictures\WriteGrant.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe\"" HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exepid process 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe Token: SeSecurityPrivilege 1504 WMIC.exe Token: SeTakeOwnershipPrivilege 1504 WMIC.exe Token: SeLoadDriverPrivilege 1504 WMIC.exe Token: SeSystemProfilePrivilege 1504 WMIC.exe Token: SeSystemtimePrivilege 1504 WMIC.exe Token: SeProfSingleProcessPrivilege 1504 WMIC.exe Token: SeIncBasePriorityPrivilege 1504 WMIC.exe Token: SeCreatePagefilePrivilege 1504 WMIC.exe Token: SeBackupPrivilege 1504 WMIC.exe Token: SeRestorePrivilege 1504 WMIC.exe Token: SeShutdownPrivilege 1504 WMIC.exe Token: SeDebugPrivilege 1504 WMIC.exe Token: SeSystemEnvironmentPrivilege 1504 WMIC.exe Token: SeRemoteShutdownPrivilege 1504 WMIC.exe Token: SeUndockPrivilege 1504 WMIC.exe Token: SeManageVolumePrivilege 1504 WMIC.exe Token: 33 1504 WMIC.exe Token: 34 1504 WMIC.exe Token: 35 1504 WMIC.exe Token: 36 1504 WMIC.exe Token: SeIncreaseQuotaPrivilege 1504 WMIC.exe Token: SeSecurityPrivilege 1504 WMIC.exe Token: SeTakeOwnershipPrivilege 1504 WMIC.exe Token: SeLoadDriverPrivilege 1504 WMIC.exe Token: SeSystemProfilePrivilege 1504 WMIC.exe Token: SeSystemtimePrivilege 1504 WMIC.exe Token: SeProfSingleProcessPrivilege 1504 WMIC.exe Token: SeIncBasePriorityPrivilege 1504 WMIC.exe Token: SeCreatePagefilePrivilege 1504 WMIC.exe Token: SeBackupPrivilege 1504 WMIC.exe Token: SeRestorePrivilege 1504 WMIC.exe Token: SeShutdownPrivilege 1504 WMIC.exe Token: SeDebugPrivilege 1504 WMIC.exe Token: SeSystemEnvironmentPrivilege 1504 WMIC.exe Token: SeRemoteShutdownPrivilege 1504 WMIC.exe Token: SeUndockPrivilege 1504 WMIC.exe Token: SeManageVolumePrivilege 1504 WMIC.exe Token: 33 1504 WMIC.exe Token: 34 1504 WMIC.exe Token: 35 1504 WMIC.exe Token: 36 1504 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.execmd.exedescription pid process target process PID 4820 wrote to memory of 4244 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe cmd.exe PID 4820 wrote to memory of 4244 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe cmd.exe PID 4820 wrote to memory of 4244 4820 HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe cmd.exe PID 4244 wrote to memory of 1504 4244 cmd.exe WMIC.exe PID 4244 wrote to memory of 1504 4244 cmd.exe WMIC.exe PID 4244 wrote to memory of 1504 4244 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-6b167b5db9479f23463dcad1190e9f319b4747dab56e64ab142020fbbbe1b1c3.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-136-0x0000000000000000-mapping.dmp
-
memory/4244-135-0x0000000000000000-mapping.dmp
-
memory/4820-132-0x0000000000520000-0x0000000000536000-memory.dmpFilesize
88KB
-
memory/4820-133-0x00000000053D0000-0x0000000005974000-memory.dmpFilesize
5.6MB
-
memory/4820-134-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB