Analysis
-
max time kernel
957s -
max time network
962s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:43
Static task
static1
Behavioral task
behavioral1
Sample
trig_e7c9ec3048d3ea5b16dce3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
trig_e7c9ec3048d3ea5b16dce3.exe
Resource
win10v2004-20220812-en
General
-
Target
trig_e7c9ec3048d3ea5b16dce3.exe
-
Size
1.1MB
-
MD5
2de26af68d2d6d73dae987eb2cdedd6e
-
SHA1
34d7fdb906b79f2912598378359668c57e65bb5d
-
SHA256
e7c9ec3048d3ea5b16dce31ec01fd0f1a965f5ae1cbc1276d35e224831d307fc
-
SHA512
e85e9c998042e1292312450ef44a9b913b8a67e1ee329fa1dbafc588b6cf1f6aa796fe694b6ae856d5b1c96c65fed71cf8ddee674c6ea49716f9788babc8fc57
-
SSDEEP
24576:kYj5E9T+xHeQhNmYOnW8FQrbID+u9v8zKLU:t5E9LQvRrtSvCUU
Malware Config
Extracted
C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta
phandaledr@onionmail.org
http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion/
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process File renamed C:\Users\Admin\Pictures\LockResize.raw => \??\c:\Users\Admin\Pictures\LockResize.raw._locked trig_e7c9ec3048d3ea5b16dce3.exe File renamed C:\Users\Admin\Pictures\ProtectRedo.png => \??\c:\Users\Admin\Pictures\ProtectRedo.png._locked trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Users\Admin\Pictures\UnblockSet.tiff trig_e7c9ec3048d3ea5b16dce3.exe File renamed C:\Users\Admin\Pictures\UnblockSet.tiff => \??\c:\Users\Admin\Pictures\UnblockSet.tiff._locked trig_e7c9ec3048d3ea5b16dce3.exe File renamed C:\Users\Admin\Pictures\CompareEnable.png => \??\c:\Users\Admin\Pictures\CompareEnable.png._locked trig_e7c9ec3048d3ea5b16dce3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation trig_e7c9ec3048d3ea5b16dce3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A3CCAAA7B4E706624A2BFE35670DFB27 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trig_e7c9ec3048d3ea5b16dce3.exe" trig_e7c9ec3048d3ea5b16dce3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\446352F4CA51C751CC40666092339A2C = "c:\\users\\admin\\appdata\\local\\temp\\how_to_decrypt.hta" trig_e7c9ec3048d3ea5b16dce3.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI trig_e7c9ec3048d3ea5b16dce3.exe -
Drops file in Program Files directory 64 IoCs
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\mr\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.js trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jre1.8.0_66\lib\hijrah-config-umalqura.properties trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\selector.js trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\AUTHORS.txt trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files\Common Files\System\es-ES\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\how_to_decrypt.hta trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML trig_e7c9ec3048d3ea5b16dce3.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar trig_e7c9ec3048d3ea5b16dce3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings trig_e7c9ec3048d3ea5b16dce3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
trig_e7c9ec3048d3ea5b16dce3.exedescription pid process target process PID 3628 wrote to memory of 10784 3628 trig_e7c9ec3048d3ea5b16dce3.exe mshta.exe PID 3628 wrote to memory of 10784 3628 trig_e7c9ec3048d3ea5b16dce3.exe mshta.exe PID 3628 wrote to memory of 10784 3628 trig_e7c9ec3048d3ea5b16dce3.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trig_e7c9ec3048d3ea5b16dce3.exe"C:\Users\Admin\AppData\Local\Temp\trig_e7c9ec3048d3ea5b16dce3.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\appdata\local\temp\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\appdata\local\temp\how_to_decrypt.htaFilesize
12KB
MD529133ad0bfbad7f15ccd5575914a24be
SHA16900fe95449cf08feeb4ffa96c1754bdaa2213cb
SHA2564cd1acbac658d8e7a09603f86eb9c65df619c7b79d4c3472ee717b8ac0e2b1d3
SHA512d14a09bf880c9435994e1ec64857bf827672a0ad8f5e96a03358207f3f2e6f611d2fff47cfb571d00cb2d50b837d842ca471200f1300f344f0fa52dc5f979428
-
memory/10784-132-0x0000000000000000-mapping.dmp