Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe
-
Size
61KB
-
MD5
dd2b83c28ce0933ac08d737bf20a51e1
-
SHA1
eb7586b8812cf90c29c44dd189e6be1b06a237f1
-
SHA256
9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f
-
SHA512
dabbd7d8f3957f7b97cf0894ea30f30bfe8c2a7a98a508fb9c4cd5e582c13f1ec3126bc3602efbb4137798a00aae46a742d2a587457f2003e45b96b4dcc4f57c
-
SSDEEP
768:pKsMqCXfVcWfLM9ZkiANIUABYLDwUzc80gmq3oP/oDs:pKsejM9ZkiAPJr/0O8/oo
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe\"" HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exepid process 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe Token: SeIncreaseQuotaPrivilege 728 WMIC.exe Token: SeSecurityPrivilege 728 WMIC.exe Token: SeTakeOwnershipPrivilege 728 WMIC.exe Token: SeLoadDriverPrivilege 728 WMIC.exe Token: SeSystemProfilePrivilege 728 WMIC.exe Token: SeSystemtimePrivilege 728 WMIC.exe Token: SeProfSingleProcessPrivilege 728 WMIC.exe Token: SeIncBasePriorityPrivilege 728 WMIC.exe Token: SeCreatePagefilePrivilege 728 WMIC.exe Token: SeBackupPrivilege 728 WMIC.exe Token: SeRestorePrivilege 728 WMIC.exe Token: SeShutdownPrivilege 728 WMIC.exe Token: SeDebugPrivilege 728 WMIC.exe Token: SeSystemEnvironmentPrivilege 728 WMIC.exe Token: SeRemoteShutdownPrivilege 728 WMIC.exe Token: SeUndockPrivilege 728 WMIC.exe Token: SeManageVolumePrivilege 728 WMIC.exe Token: 33 728 WMIC.exe Token: 34 728 WMIC.exe Token: 35 728 WMIC.exe Token: SeIncreaseQuotaPrivilege 728 WMIC.exe Token: SeSecurityPrivilege 728 WMIC.exe Token: SeTakeOwnershipPrivilege 728 WMIC.exe Token: SeLoadDriverPrivilege 728 WMIC.exe Token: SeSystemProfilePrivilege 728 WMIC.exe Token: SeSystemtimePrivilege 728 WMIC.exe Token: SeProfSingleProcessPrivilege 728 WMIC.exe Token: SeIncBasePriorityPrivilege 728 WMIC.exe Token: SeCreatePagefilePrivilege 728 WMIC.exe Token: SeBackupPrivilege 728 WMIC.exe Token: SeRestorePrivilege 728 WMIC.exe Token: SeShutdownPrivilege 728 WMIC.exe Token: SeDebugPrivilege 728 WMIC.exe Token: SeSystemEnvironmentPrivilege 728 WMIC.exe Token: SeRemoteShutdownPrivilege 728 WMIC.exe Token: SeUndockPrivilege 728 WMIC.exe Token: SeManageVolumePrivilege 728 WMIC.exe Token: 33 728 WMIC.exe Token: 34 728 WMIC.exe Token: 35 728 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.execmd.exedescription pid process target process PID 1344 wrote to memory of 604 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe cmd.exe PID 1344 wrote to memory of 604 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe cmd.exe PID 1344 wrote to memory of 604 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe cmd.exe PID 1344 wrote to memory of 604 1344 HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe cmd.exe PID 604 wrote to memory of 728 604 cmd.exe WMIC.exe PID 604 wrote to memory of 728 604 cmd.exe WMIC.exe PID 604 wrote to memory of 728 604 cmd.exe WMIC.exe PID 604 wrote to memory of 728 604 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-9795f8ea6434989afcfd59bcbccf2edc40a93f5185148c5def2cc6a32a143a6f.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken