Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-11-2022 06:05
General
-
Target
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe
-
Size
184KB
-
MD5
89f059a012a6911765ceaf4e3eefd2f8
-
SHA1
d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
-
SHA256
7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
-
SHA512
01938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
SSDEEP
3072:kyXt9mTrJfPB6y0TwqjoL0sMjHicmDJij4X0PQgyrkEp92QObfOCLn2O:p4FfZ6zTwhmjsO4XcQ1F9pObp2O
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe"C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exeC:\Users\Admin\AppData\Local\Temp\7db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72.exe2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\icllcxv.exeC:\Users\Admin\AppData\Roaming\icllcxv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\icllcxv.exeC:\Users\Admin\AppData\Roaming\icllcxv.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7DB66A~1.EXE >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 3052 -ip 30521⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3052 -s 32841⤵
- Program crash
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 936 -s 21962⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 936 -ip 9361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.eccFilesize
622KB
MD51d409b863437249f020066a2878c7efe
SHA1800ac70cf56c9df951d8047695be759c0a6f44c7
SHA25606a356ec065f54d6ff0706ce0270ccb60caa9f56e54a4caa0e1e04bb4cdb59a6
SHA512e94d6a69b1c2a298865c70d0a8f283e0debc3750944d85e7493fed961282097cfbf2ae0381eea19a12c33ac97e1c600b3794a6a5dd268e6d763d535c16260e06
-
C:\Users\Admin\AppData\Roaming\icllcxv.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
C:\Users\Admin\AppData\Roaming\icllcxv.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
C:\Users\Admin\AppData\Roaming\icllcxv.exeFilesize
184KB
MD589f059a012a6911765ceaf4e3eefd2f8
SHA1d0aae8d39b153584b3ea8f82b1ccf99ebef6a20c
SHA2567db66ad64a23f53952dcd72eb1eaef6c063fb79c59db7f096930ea9285838f72
SHA51201938da98ff0352db5e8db56ad60158dfd758bba1036cbf31d6e95003254ab8bc5e8abdde6f6850258738099e6468c6fe228e0c32dd73a75a41d3161af468996
-
memory/1096-132-0x00000000759A0000-0x00000000759D9000-memory.dmpFilesize
228KB
-
memory/1096-136-0x00000000759A0000-0x00000000759D9000-memory.dmpFilesize
228KB
-
memory/3004-153-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3004-137-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3004-135-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3004-133-0x0000000000000000-mapping.dmp
-
memory/3004-134-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3004-141-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/3004-154-0x0000000075400000-0x0000000075439000-memory.dmpFilesize
228KB
-
memory/3004-142-0x0000000075400000-0x0000000075439000-memory.dmpFilesize
228KB
-
memory/3104-155-0x0000000000000000-mapping.dmp
-
memory/4148-148-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4148-149-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4148-150-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4148-151-0x0000000075400000-0x0000000075439000-memory.dmpFilesize
228KB
-
memory/4148-144-0x0000000000000000-mapping.dmp
-
memory/4148-156-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4232-152-0x0000000000000000-mapping.dmp
-
memory/4636-147-0x0000000075400000-0x0000000075439000-memory.dmpFilesize
228KB
-
memory/4636-143-0x0000000075400000-0x0000000075439000-memory.dmpFilesize
228KB
-
memory/4636-138-0x0000000000000000-mapping.dmp