Analysis
-
max time kernel
150s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:39
Static task
static1
Behavioral task
behavioral1
Sample
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe
Resource
win10v2004-20220812-en
General
-
Target
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe
-
Size
1.4MB
-
MD5
d1341eb309815b6f1e93dc2c0f8fa38c
-
SHA1
6cf1d0090d2bc5d3409395fc326e413eb695570f
-
SHA256
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
-
SHA512
ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
SSDEEP
24576:nD0OqGBSxHXV1CRw4rj5K0RjrPiVfnTW4ov0jvaRtxxCGwS3zKGhUZjNphV:VDS+zpKwyn3opxUo3uEGj
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
Processes:
Winold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exeWinold.exepid process 1784 Winold.exe 1176 Winold.exe 380 Winold.exe 1044 Winold.exe 1076 Winold.exe 1072 Winold.exe 564 Winold.exe 1624 Winold.exe 1516 Winold.exe 1264 Winold.exe 1192 Winold.exe -
Loads dropped DLL 1 IoCs
Processes:
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exepid process 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry Key = "C:\\Users\\Admin\\AppData\\Roaming\\Winold.exe" reg.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exeWinold.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Winold.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Winold.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exeWinold.exepid process 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe 1784 Winold.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exeWinold.exedescription pid process Token: SeDebugPrivilege 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Token: SeDebugPrivilege 1784 Winold.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.execmd.exeWinold.exedescription pid process target process PID 1408 wrote to memory of 796 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe cmd.exe PID 1408 wrote to memory of 796 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe cmd.exe PID 1408 wrote to memory of 796 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe cmd.exe PID 1408 wrote to memory of 796 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe cmd.exe PID 796 wrote to memory of 1588 796 cmd.exe reg.exe PID 796 wrote to memory of 1588 796 cmd.exe reg.exe PID 796 wrote to memory of 1588 796 cmd.exe reg.exe PID 796 wrote to memory of 1588 796 cmd.exe reg.exe PID 1408 wrote to memory of 1784 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Winold.exe PID 1408 wrote to memory of 1784 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Winold.exe PID 1408 wrote to memory of 1784 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Winold.exe PID 1408 wrote to memory of 1784 1408 c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe Winold.exe PID 1784 wrote to memory of 1176 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1176 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1176 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1176 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 380 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 380 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 380 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 380 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1044 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1044 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1044 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1044 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1076 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1076 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1076 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1076 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1072 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1072 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1072 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1072 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 564 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 564 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 564 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 564 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1624 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1624 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1624 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1624 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1516 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1516 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1516 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1516 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1264 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1264 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1264 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1264 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1192 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1192 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1192 1784 Winold.exe Winold.exe PID 1784 wrote to memory of 1192 1784 Winold.exe Winold.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe"C:\Users\Admin\AppData\Local\Temp\c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Registry Key" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Winold.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Registry Key" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Winold.exe"C:\Users\Admin\AppData\Roaming\Winold.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
C:\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
\Users\Admin\AppData\Roaming\Winold.exeFilesize
1.4MB
MD5d1341eb309815b6f1e93dc2c0f8fa38c
SHA16cf1d0090d2bc5d3409395fc326e413eb695570f
SHA256c0e810ab2ef04d940145f7f05466fd1a50d41c53df16677e465b411d12f63f1e
SHA512ce65b00ac5a34a761bbafaa134a6e82b8e4cf00406ac21d05b6b57a54484ad31ce39c550c770cefcd3b5227d184074bcbd9fa9904a9831481d8f0689476def8a
-
memory/796-58-0x0000000000000000-mapping.dmp
-
memory/1408-66-0x0000000002226000-0x0000000002237000-memory.dmpFilesize
68KB
-
memory/1408-65-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmpFilesize
8KB
-
memory/1408-57-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1408-56-0x0000000002226000-0x0000000002237000-memory.dmpFilesize
68KB
-
memory/1408-55-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1588-59-0x0000000000000000-mapping.dmp
-
memory/1784-67-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB
-
memory/1784-61-0x0000000000000000-mapping.dmp
-
memory/1784-78-0x00000000024E6000-0x00000000024F7000-memory.dmpFilesize
68KB
-
memory/1784-79-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB