ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4

Analysis

max time kernel
171s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
Size

264KB
MD5

7cb7c2f88d3658be701274af95facfb2
SHA1

e24e31469c64d264e826c4c87a0641f814395659
SHA256

ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4
SHA512

37927ecad60e0d210edf5c21c6a096eca5d4bc114bf55444c900d9c8c1e0dbfb9cba256d559220eb0b9929d15c3ae3cec8a5f5ec4631fb117689e3ab298c2e3d
SSDEEP

6144:Y2MF5/U5fNRwhoTFHvvlv6VY1zVsg1X4N24B4:0ZCfNRw+TFPdv6VABLUn4

Score

9^/10

discovery ransomware

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SearchMount.tiff	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
File created	C:\Users\Admin\Pictures\SearchMount.tiff...	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
File renamed	C:\Users\Admin\Pictures\SearchMount.tiff... => C:\Users\Admin\Pictures\SearchMount.tiff.sage	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
File created	C:\Users\Admin\Pictures\UninstallPing.tif...	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
File renamed	C:\Users\Admin\Pictures\UninstallPing.tif... => C:\Users\Admin\Pictures\UninstallPing.tif.sage	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yYS.bmp"	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
Key created	\REGISTRY\USER\S-1-5-19	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
Key created	\REGISTRY\USER\S-1-5-20	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 1124	3896	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe	79
PID 3896 wrote to memory of 1124	3896	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe	79
PID 3896 wrote to memory of 1124	3896	ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe	79

C:\Users\Admin\AppData\Local\Temp\ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
"C:\Users\Admin\AppData\Local\Temp\ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe
  "C:\Users\Admin\AppData\Local\Temp\ad618b5ab55b3985df1e64321f8c047715e38c3765b2bc7a3de529dcc807c8f4.exe" g
  2⤵
  PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact