Analysis
-
max time kernel
151s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe
Resource
win10v2004-20220901-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe
-
Size
326KB
-
MD5
69324ffa4e40aa8c63fd9b27848aa371
-
SHA1
f608c5838f173558d7851e1517cf4ab722b13e26
-
SHA256
7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6
-
SHA512
d51b8da50273967bcc91e19ac21db0adc2d4870a10a60ed2f621cd7ddb9d2152424e7be95aacac743f75c607b9d445ea8f1172c9ab2b4b7af477f4f7c178b4db
-
SSDEEP
6144:WM9uJiJ1mEjuSW3C2oCmhqoeBsGciYOf+ZLswYjUtMTO:WMSiS9SW35dmhqoeBsGJGKlO
Malware Config
Signatures
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exedescription ioc process File created C:\Users\Admin\Pictures\MountRegister.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\RestartSkip.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\CheckpointRemove.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\CompareSuspend.png.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\JoinDismount.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\MeasurePop.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File opened for modification C:\Users\Admin\Pictures\MeasurePop.tiff HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\RedoClose.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\ResolveGet.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\ConfirmShow.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File created C:\Users\Admin\Pictures\ExportUnblock.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File opened for modification C:\Users\Admin\Pictures\ExportUnblock.tiff HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe\"" HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exepid process 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe Token: SeIncreaseQuotaPrivilege 1232 WMIC.exe Token: SeSecurityPrivilege 1232 WMIC.exe Token: SeTakeOwnershipPrivilege 1232 WMIC.exe Token: SeLoadDriverPrivilege 1232 WMIC.exe Token: SeSystemProfilePrivilege 1232 WMIC.exe Token: SeSystemtimePrivilege 1232 WMIC.exe Token: SeProfSingleProcessPrivilege 1232 WMIC.exe Token: SeIncBasePriorityPrivilege 1232 WMIC.exe Token: SeCreatePagefilePrivilege 1232 WMIC.exe Token: SeBackupPrivilege 1232 WMIC.exe Token: SeRestorePrivilege 1232 WMIC.exe Token: SeShutdownPrivilege 1232 WMIC.exe Token: SeDebugPrivilege 1232 WMIC.exe Token: SeSystemEnvironmentPrivilege 1232 WMIC.exe Token: SeRemoteShutdownPrivilege 1232 WMIC.exe Token: SeUndockPrivilege 1232 WMIC.exe Token: SeManageVolumePrivilege 1232 WMIC.exe Token: 33 1232 WMIC.exe Token: 34 1232 WMIC.exe Token: 35 1232 WMIC.exe Token: SeIncreaseQuotaPrivilege 1232 WMIC.exe Token: SeSecurityPrivilege 1232 WMIC.exe Token: SeTakeOwnershipPrivilege 1232 WMIC.exe Token: SeLoadDriverPrivilege 1232 WMIC.exe Token: SeSystemProfilePrivilege 1232 WMIC.exe Token: SeSystemtimePrivilege 1232 WMIC.exe Token: SeProfSingleProcessPrivilege 1232 WMIC.exe Token: SeIncBasePriorityPrivilege 1232 WMIC.exe Token: SeCreatePagefilePrivilege 1232 WMIC.exe Token: SeBackupPrivilege 1232 WMIC.exe Token: SeRestorePrivilege 1232 WMIC.exe Token: SeShutdownPrivilege 1232 WMIC.exe Token: SeDebugPrivilege 1232 WMIC.exe Token: SeSystemEnvironmentPrivilege 1232 WMIC.exe Token: SeRemoteShutdownPrivilege 1232 WMIC.exe Token: SeUndockPrivilege 1232 WMIC.exe Token: SeManageVolumePrivilege 1232 WMIC.exe Token: 33 1232 WMIC.exe Token: 34 1232 WMIC.exe Token: 35 1232 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.execmd.exedescription pid process target process PID 1912 wrote to memory of 1144 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe cmd.exe PID 1912 wrote to memory of 1144 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe cmd.exe PID 1912 wrote to memory of 1144 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe cmd.exe PID 1912 wrote to memory of 1144 1912 HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe cmd.exe PID 1144 wrote to memory of 1232 1144 cmd.exe WMIC.exe PID 1144 wrote to memory of 1232 1144 cmd.exe WMIC.exe PID 1144 wrote to memory of 1232 1144 cmd.exe WMIC.exe PID 1144 wrote to memory of 1232 1144 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-7e3fb87027b84b39e369efde5f180e6d0bcfda15489b4387a6e0737943556de6.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken