Analysis
-
max time kernel
8s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2022 00:22
Static task
static1
Behavioral task
behavioral1
Sample
PPPPPPPPPPPPPPP.exe
Resource
win7-20220812-en
General
-
Target
PPPPPPPPPPPPPPP.exe
-
Size
60KB
-
MD5
94406fab156e3ed962899d6a473683c5
-
SHA1
08ef787ee7264e87abdb1933102ae94a8056a587
-
SHA256
422c3df285fbd86303eb0448583550d7584a330095c60ada442cb1beb97cf670
-
SHA512
c5ae7834d4722e7ca702258203f718a00403d76455cfe5e75743f116a4bd0c37ec33dcf89c6f779e8247519ae65e12523fe6bc7aede28a360fbf4687e1b2bba2
-
SSDEEP
768:DlH3iOcmCQkUF7Q3n8Q37RGC5fBPcKX0hT6tUTNtg3333rIX72s2H3eI2:DlHyOcmCD27c8oN5JPcQQhg3333rdX9
Malware Config
Signatures
-
Processes:
PPPPPPPPPPPPPPP.exePPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
k4.exek4.exek4.exek4.exepid process 1264 k4.exe 3312 k4.exe 1264 k4.exe 3312 k4.exe -
Processes:
PPPPPPPPPPPPPPP.exePPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PPPPPPPPPPPPPPP.exePPPPPPPPPPPPPPP.exepid process 4984 PPPPPPPPPPPPPPP.exe 4984 PPPPPPPPPPPPPPP.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PPPPPPPPPPPPPPP.exePPPPPPPPPPPPPPP.exedescription pid process target process PID 4984 wrote to memory of 1264 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 1264 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3312 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3312 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe PID 4984 wrote to memory of 1264 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 1264 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3312 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3312 4984 PPPPPPPPPPPPPPP.exe k4.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe PID 4984 wrote to memory of 3052 4984 PPPPPPPPPPPPPPP.exe cmd.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
PPPPPPPPPPPPPPP.exePPPPPPPPPPPPPPP.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" PPPPPPPPPPPPPPP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" PPPPPPPPPPPPPPP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/1264-132-0x0000000000000000-mapping.dmp
-
memory/1264-132-0x0000000000000000-mapping.dmp
-
memory/3052-137-0x0000000000000000-mapping.dmp
-
memory/3052-137-0x0000000000000000-mapping.dmp
-
memory/3312-135-0x0000000000000000-mapping.dmp
-
memory/3312-135-0x0000000000000000-mapping.dmp