Analysis
-
max time kernel
155s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:32
Behavioral task
behavioral1
Sample
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe
Resource
win10v2004-20221111-en
General
-
Target
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe
-
Size
74KB
-
MD5
42b0a4f5b85d1f879d59295ccfe2661a
-
SHA1
95793eb1be319fef9238a1e4db00665d4f6b7ff1
-
SHA256
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c
-
SHA512
648a03bf8da3eb01bb3d2bde2cec1a796680d32de72f3070b9390a8af30589a92d24617b8468777be793cd743d304f64d04010de2aa959099c22e4d320690da7
-
SSDEEP
1536:zvwIMUkn5lRjATpx6GWT4T/aj1DfKz0Sx6vGMHRYZ35iIEtjRsD4:bJknVKucT/u1+zPGHRkJyRs
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3940-132-0x0000000000400000-0x000000000042C000-memory.dmp upx behavioral2/memory/3940-133-0x0000000000400000-0x000000000042C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\105-2-5-4 = "c:\\program files\\Webdialer\\5138a0770379fcc0cb964691fc735 -m" 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exedescription ioc process File created \??\c:\program files\Webdialer\5138a0770379fcc0cb964691fc735 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe File opened for modification \??\c:\program files\Webdialer\5138a0770379fcc0cb964691fc735 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 652 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exepid process 3940 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exepid process 3940 5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe"C:\Users\Admin\AppData\Local\Temp\5138a0770379fcc0cb964691fc7359f97921745e6522d5a7ad7e8e1eb6888b5c.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3940