Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
Resource
win10v2004-20220812-en
General
-
Target
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
-
Size
1.7MB
-
MD5
2010f94a111ab8d9e0a25d7aefd2704e
-
SHA1
cc5fb0d3c2ac669a04ce073e2023200107a1846a
-
SHA256
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7
-
SHA512
daec0ed4e7ed5467c9b59db2976227f142a56f1e3eadd138baf6281d63ea565849da08c1ffcad056fc49909a42d16b79bbcf546ef37977f3e386566ca3dbcc71
-
SSDEEP
24576:GhGyCHW7fOpOQWzYSQ6iRUxgrGEMr3LvDUUk1+CtdEckOOZ2K7bGqvUCSVt:GhGVHWyOrVuUUMrbZk1yckOOZ2fyUtr
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
write.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\SendExport.raw.rnsmcat4er write.exe File renamed C:\Users\Admin\Pictures\DismountEnter.crw => \??\c:\Users\Admin\Pictures\DismountEnter.crw.rnsmcat4er write.exe File opened for modification \??\c:\Users\Admin\Pictures\DismountEnter.crw.rnsmcat4er write.exe File renamed C:\Users\Admin\Pictures\SendExport.raw => \??\c:\Users\Admin\Pictures\SendExport.raw.rnsmcat4er write.exe -
Drops desktop.ini file(s) 29 IoCs
Processes:
write.exedescription ioc process File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini write.exe File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini write.exe File opened for modification C:\Users\Admin\Documents\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini write.exe File opened for modification \??\c:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini write.exe File opened for modification \??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini write.exe File opened for modification \??\c:\Users\Public\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini write.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini write.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini write.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
write.exedescription ioc process File opened (read-only) \??\p: write.exe File opened (read-only) \??\a: write.exe File opened (read-only) \??\e: write.exe File opened (read-only) \??\i: write.exe File opened (read-only) \??\k: write.exe File opened (read-only) \??\o: write.exe File opened (read-only) \??\w: write.exe File opened (read-only) \??\y: write.exe File opened (read-only) \??\b: write.exe File opened (read-only) \??\h: write.exe File opened (read-only) \??\q: write.exe File opened (read-only) \??\s: write.exe File opened (read-only) \??\t: write.exe File opened (read-only) \??\u: write.exe File opened (read-only) \??\r: write.exe File opened (read-only) \??\v: write.exe File opened (read-only) \??\f: write.exe File opened (read-only) \??\g: write.exe File opened (read-only) \??\j: write.exe File opened (read-only) \??\l: write.exe File opened (read-only) \??\m: write.exe File opened (read-only) \??\n: write.exe File opened (read-only) \??\x: write.exe File opened (read-only) \??\z: write.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exedescription pid process target process PID 5104 set thread context of 3100 5104 b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe write.exe PID 3100 set thread context of 8660 3100 write.exe write.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
write.exepid process 8660 write.exe 8660 write.exe 8660 write.exe 8660 write.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exedescription pid process target process PID 5104 wrote to memory of 3100 5104 b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe write.exe PID 5104 wrote to memory of 3100 5104 b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe write.exe PID 5104 wrote to memory of 3100 5104 b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe write.exe PID 5104 wrote to memory of 3100 5104 b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe write.exe PID 3100 wrote to memory of 8660 3100 write.exe write.exe PID 3100 wrote to memory of 8660 3100 write.exe write.exe PID 3100 wrote to memory of 8660 3100 write.exe write.exe PID 3100 wrote to memory of 8660 3100 write.exe write.exe PID 3100 wrote to memory of 8660 3100 write.exe write.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe"C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\write.exeC:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\write.exe"C:\Windows\system32\write.exe"3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.iniFilesize
876B
MD5ccf0567081f812a4dc46a0c66271bc61
SHA1a564f839023b5aff353107a9eeaf7b74e693d8f7
SHA256f7497d8a7e36b45c8cce8235388c93e62fe4de4bc3b263014a4ceada6a63fd1c
SHA512323c651cb5b87afbaea9058da057aeaac8bfd577e0b685a7e99f0296f78aeb6e595a5bef0ff86c98851abd9b70ad3629a6e7a9f45672b88564ae21421c64390e
-
memory/3100-135-0x0000000000A25B00-mapping.dmp
-
memory/3100-134-0x0000000000A10000-0x0000000000B2C000-memory.dmpFilesize
1.1MB
-
memory/3100-136-0x0000000000A10000-0x0000000000B2C000-memory.dmpFilesize
1.1MB
-
memory/3100-140-0x0000000000A10000-0x0000000000B2C000-memory.dmpFilesize
1.1MB
-
memory/5104-132-0x0000000002B20000-0x0000000002E59000-memory.dmpFilesize
3.2MB
-
memory/5104-133-0x0000000002F80000-0x000000000309C000-memory.dmpFilesize
1.1MB
-
memory/5104-137-0x0000000002F80000-0x000000000309C000-memory.dmpFilesize
1.1MB
-
memory/8660-138-0x0000000000FB0000-0x00000000010CC000-memory.dmpFilesize
1.1MB
-
memory/8660-139-0x0000000000FC33C0-mapping.dmp
-
memory/8660-141-0x0000000000EF0000-0x0000000000FAB000-memory.dmpFilesize
748KB
-
memory/8660-143-0x0000000000EF0000-0x0000000000FAB000-memory.dmpFilesize
748KB