Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe
-
Size
62KB
-
MD5
f86748683a9f6f5d6ab359135e3787d0
-
SHA1
8863815a69d7a912b743d592756bdf40b6581035
-
SHA256
623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44
-
SHA512
2db4cc1e9f31d681f714e7d8773d3b820d071e3cc4702620f64bbf8802645a350452909201c01b78285c46f52da5de06d66546499e5863bff1013c5fab04441c
-
SSDEEP
768:wKsMqCXfVcWW2M9ZkiANIUlsUliYLDwUzc80gmq3oP/oDt:wKsezM9ZkiAPlvr/0O8/oZ
Malware Config
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exedescription ioc process File created C:\Users\Admin\Pictures\CopyRepair.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\FormatOut.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\GetMount.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\RestartDismount.png.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\ShowPop.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\WriteRestart.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File created C:\Users\Admin\Pictures\ConvertFromSet.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromSet.tiff HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe\"" HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exepid process 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe Token: SeIncreaseQuotaPrivilege 3016 WMIC.exe Token: SeSecurityPrivilege 3016 WMIC.exe Token: SeTakeOwnershipPrivilege 3016 WMIC.exe Token: SeLoadDriverPrivilege 3016 WMIC.exe Token: SeSystemProfilePrivilege 3016 WMIC.exe Token: SeSystemtimePrivilege 3016 WMIC.exe Token: SeProfSingleProcessPrivilege 3016 WMIC.exe Token: SeIncBasePriorityPrivilege 3016 WMIC.exe Token: SeCreatePagefilePrivilege 3016 WMIC.exe Token: SeBackupPrivilege 3016 WMIC.exe Token: SeRestorePrivilege 3016 WMIC.exe Token: SeShutdownPrivilege 3016 WMIC.exe Token: SeDebugPrivilege 3016 WMIC.exe Token: SeSystemEnvironmentPrivilege 3016 WMIC.exe Token: SeRemoteShutdownPrivilege 3016 WMIC.exe Token: SeUndockPrivilege 3016 WMIC.exe Token: SeManageVolumePrivilege 3016 WMIC.exe Token: 33 3016 WMIC.exe Token: 34 3016 WMIC.exe Token: 35 3016 WMIC.exe Token: 36 3016 WMIC.exe Token: SeIncreaseQuotaPrivilege 3016 WMIC.exe Token: SeSecurityPrivilege 3016 WMIC.exe Token: SeTakeOwnershipPrivilege 3016 WMIC.exe Token: SeLoadDriverPrivilege 3016 WMIC.exe Token: SeSystemProfilePrivilege 3016 WMIC.exe Token: SeSystemtimePrivilege 3016 WMIC.exe Token: SeProfSingleProcessPrivilege 3016 WMIC.exe Token: SeIncBasePriorityPrivilege 3016 WMIC.exe Token: SeCreatePagefilePrivilege 3016 WMIC.exe Token: SeBackupPrivilege 3016 WMIC.exe Token: SeRestorePrivilege 3016 WMIC.exe Token: SeShutdownPrivilege 3016 WMIC.exe Token: SeDebugPrivilege 3016 WMIC.exe Token: SeSystemEnvironmentPrivilege 3016 WMIC.exe Token: SeRemoteShutdownPrivilege 3016 WMIC.exe Token: SeUndockPrivilege 3016 WMIC.exe Token: SeManageVolumePrivilege 3016 WMIC.exe Token: 33 3016 WMIC.exe Token: 34 3016 WMIC.exe Token: 35 3016 WMIC.exe Token: 36 3016 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.execmd.exedescription pid process target process PID 2264 wrote to memory of 2100 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe cmd.exe PID 2264 wrote to memory of 2100 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe cmd.exe PID 2264 wrote to memory of 2100 2264 HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe cmd.exe PID 2100 wrote to memory of 3016 2100 cmd.exe WMIC.exe PID 2100 wrote to memory of 3016 2100 cmd.exe WMIC.exe PID 2100 wrote to memory of 3016 2100 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-623b59622e8083f2a7fff7bfad29c66730a3799e22f13aea4789948568b0ba44.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2100-135-0x0000000000000000-mapping.dmp
-
memory/2264-132-0x00000000007A0000-0x00000000007B6000-memory.dmpFilesize
88KB
-
memory/2264-133-0x00000000056D0000-0x0000000005C74000-memory.dmpFilesize
5.6MB
-
memory/2264-134-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/3016-136-0x0000000000000000-mapping.dmp