Analysis
-
max time kernel
28s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 22:13
Behavioral task
behavioral1
Sample
f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe
Resource
win7-20220901-en
windows7-x64
11 signatures
150 seconds
General
-
Target
f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe
-
Size
298KB
-
MD5
0c4996efa587cf0046aea007cdc858a0
-
SHA1
933cc72153d6de8dc65e09b8b2e9495d96c4e5ad
-
SHA256
f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca
-
SHA512
b86b7aa74342efe38c3ddeee26bb495498403473dc6d6b8342b260b9be5a6cf9f401242386b4499eecfcdb80c0815955e4e12afbc514d11008756ac851eb3b84
-
SSDEEP
6144:nuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYz:u6Wq4aaE6KwyF5L0Y2D1PqLm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4504 svhost.exe -
resource yara_rule behavioral2/files/0x0009000000022e32-135.dat upx behavioral2/files/0x0009000000022e32-134.dat upx behavioral2/memory/2428-132-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4504-136-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2428-137-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4504-138-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\f: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\u: svhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4504 svhost.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe 4504 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4504 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 32 PID 2428 wrote to memory of 4504 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 32 PID 2428 wrote to memory of 4504 2428 f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe"C:\Users\Admin\AppData\Local\Temp\f2185e3189a8353ab46441bf27960fdfbed53001077b219d98a01d09ca3474ca.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4504
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD50d1c326ff5567f6da1e4d6cd07a7a93d
SHA1896cfa9ca9168b95116e339636a4b20e915737ae
SHA256dcbe211625edb162f5ec8d0582ab2a5ac4f9183d2e56443799691e79f2d515de
SHA512925834825350ff535796d07ac6149035e2cd41d807ec731e4b862fdfb809c7dbb581713a3df80169989ccdaa1d2e621a7ea311eb5c66711164fd0a51c0183fc6
-
Filesize
155KB
MD5061ed10d802f8926f52d8423e8658303
SHA144e5c79e3fe79c7a6f7a311ddf7505fc8360fb2f
SHA256d6ffab615fb9e8f804447a74218113d554a03e29d94459dd433ee08355310dd5
SHA512b2af130b5346a7073c484f5a09e9d1111ccec608d19a555cd9656af86b874f87c10221fd4e5bf5b777d721a16bc8b48e128265c0b74d90f7fcd598a0bbfbd013