Analysis
-
max time kernel
36s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 07:54
Behavioral task
behavioral1
Sample
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Resource
win10v2004-20221111-en
General
-
Target
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
-
Size
3.2MB
-
MD5
b68428885b7b7ee7f3afcabc87ff6d15
-
SHA1
fc78f8d9c9e60b0cf4a4139416b321a4dac85f10
-
SHA256
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6
-
SHA512
e1031096530107b068781402c374cbe14993684affd3fcbf6004c93c04193b41a9623ffb0b8f741419c1aac9dacc3af46cea0b3bb3f1af7d758d2b10828e1bc4
-
SSDEEP
49152:ga7UX7jYG3aoKOi4uYK5vikfADPDJjPKTW7yHO9LhrXbvHNyDSVPuSZcNKGWGop:8XyOi4u+kfADdmTbu99zbyhSO3F0
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1684-55-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/1684-68-0x0000000000400000-0x00000000004A7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe -
Modifies registry class 10 IoCs
Processes:
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\LocalServer32 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\ = "eProtocol" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\Clsid 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol\Clsid\ = "{82184935-B894-4AB2-8590-603BA7D74B71}" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ProgID 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ProgID\ = "95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71} 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.eProtocol 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82184935-B894-4AB2-8590-603BA7D74B71}\ = "eProtocol" 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exepid process 1684 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe 1684 95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe"C:\Users\Admin\AppData\Local\Temp\95514b37d5be8ee78e0889ebc1fddb8d444fb10c87806e696bba108c220c9ac6.exe"1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx