Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 01:26
Static task
static1
Behavioral task
behavioral1
Sample
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe
Resource
win10v2004-20220812-en
General
-
Target
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe
-
Size
923KB
-
MD5
3c105635371528e1027593857051e4d6
-
SHA1
d14d696e1989294cd89937b377780a30f9b1eb76
-
SHA256
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691
-
SHA512
28c76cdb0d2b12d62cee0941b0aa080e27f7628a8f9c0d0b077c4a62effe46f4e35d6888f2fd221042ebee3e13447f65da9fd0cea0fa049cc9087bdb557c2a5b
-
SSDEEP
6144:mpqoa8aLKC/2OLSAN7gNVpNleQUohBfGPOtQciXeL/XYqGlebojSP2pjNhcAYnCP:mpqKC/2OGAtkCP4cejGSOpRK3CnIiv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process File opened (read-only) \??\y: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\j: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\l: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\p: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\r: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\u: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\n: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\q: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\w: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\a: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\e: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\f: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\g: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\i: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\b: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\k: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\m: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\v: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\z: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\h: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\o: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\s: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\t: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe File opened (read-only) \??\x: f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3300-132-0x0000000000400000-0x00000000004E1000-memory.dmp autoit_exe behavioral2/memory/3300-139-0x0000000000400000-0x00000000004E1000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process File created \??\d:\autorun.inf f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.mydreamworld.50webs.com" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.mydreamworld.50webs.com" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.mydreamworld.50webs.com" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exepid process 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.execmd.execmd.execmd.exedescription pid process target process PID 3300 wrote to memory of 4660 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 4660 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 4660 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 4660 wrote to memory of 4280 4660 cmd.exe at.exe PID 4660 wrote to memory of 4280 4660 cmd.exe at.exe PID 4660 wrote to memory of 4280 4660 cmd.exe at.exe PID 3300 wrote to memory of 4800 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 4800 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 4800 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 4800 wrote to memory of 1856 4800 cmd.exe at.exe PID 4800 wrote to memory of 1856 4800 cmd.exe at.exe PID 4800 wrote to memory of 1856 4800 cmd.exe at.exe PID 3300 wrote to memory of 1724 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 1724 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 3300 wrote to memory of 1724 3300 f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe cmd.exe PID 1724 wrote to memory of 4420 1724 cmd.exe cacls.exe PID 1724 wrote to memory of 4420 1724 cmd.exe cacls.exe PID 1724 wrote to memory of 4420 1724 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe"C:\Users\Admin\AppData\Local\Temp\f3ac9b8dee459898ff653a9ee6f5056b716ae7e4d880d1e4d3aa2f09dccad691.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-137-0x0000000000000000-mapping.dmp
-
memory/1856-136-0x0000000000000000-mapping.dmp
-
memory/3300-132-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/3300-139-0x0000000000400000-0x00000000004E1000-memory.dmpFilesize
900KB
-
memory/4280-134-0x0000000000000000-mapping.dmp
-
memory/4420-138-0x0000000000000000-mapping.dmp
-
memory/4660-133-0x0000000000000000-mapping.dmp
-
memory/4800-135-0x0000000000000000-mapping.dmp