Analysis
-
max time kernel
177s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:03
Behavioral task
behavioral1
Sample
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
Resource
win7-20220812-en
General
-
Target
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe
-
Size
100KB
-
MD5
8dc2977abe0b363aca606378bf7fd385
-
SHA1
82fd6c30ebb2b3b5bb5911a3b57fd29142ce6fa8
-
SHA256
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2
-
SHA512
59f33d6707902aaa8704420a213541cfb758fe2cdfa49fce82d0c29f941d855d77799ef6cde5e5db6d307b8c620f4ba8eb2466dbb87d798c37757212e5786325
-
SSDEEP
1536:S9XM2K4Y3kK5MNq5cktsVPkRcT5nEYJyuXtg/7rSLh50Uj7z3nYxV:S98xkK5h5xwPDTZrKrqh50Uj7z3nYxV
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
targetsiell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 targetsiell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE targetsiell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies targetsiell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 targetsiell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
targetsiell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix targetsiell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" targetsiell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" targetsiell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
targetsiell.exepid process 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe 2492 targetsiell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exepid process 2260 d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exetargetsiell.exedescription pid process target process PID 2452 wrote to memory of 2260 2452 d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe PID 2452 wrote to memory of 2260 2452 d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe PID 2452 wrote to memory of 2260 2452 d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe PID 4600 wrote to memory of 2492 4600 targetsiell.exe targetsiell.exe PID 4600 wrote to memory of 2492 4600 targetsiell.exe targetsiell.exe PID 4600 wrote to memory of 2492 4600 targetsiell.exe targetsiell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe"C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2.exe--c5edc0552⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\targetsiell.exe"C:\Windows\SysWOW64\targetsiell.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\targetsiell.exe--130605742⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2260-134-0x0000000000000000-mapping.dmp
-
memory/2260-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2260-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2260-140-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2452-133-0x0000000002030000-0x0000000002041000-memory.dmpFilesize
68KB
-
memory/2452-135-0x0000000002030000-0x0000000002041000-memory.dmpFilesize
68KB
-
memory/2452-136-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2492-139-0x0000000000000000-mapping.dmp
-
memory/2492-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2492-142-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB