Analysis
-
max time kernel
167s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:45
Behavioral task
behavioral1
Sample
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe
Resource
win7-20220901-en
General
-
Target
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe
-
Size
200KB
-
MD5
302b61562fd258c88ab0db3ffa640faf
-
SHA1
bf6d895f57b8f18d5b2a0f6ca969c93b142fbce5
-
SHA256
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594
-
SHA512
71f9e1b27653fa8af02e9846691014ccf8676b07679b4555a09dbf2e9e347027f0d186ec96c80a26abc252d74cec8ef43cfbc1b684c8edf003dcc79cadb58fe0
-
SSDEEP
3072:GNkhoRdoQbxSTcbrh82bQZfR3pKHJLbSvGft0WtPwpIC:GNgo3oInbQZp5MJLbSvGfh0
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
alaskabased.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 alaskabased.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE alaskabased.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies alaskabased.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 alaskabased.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
alaskabased.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix alaskabased.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" alaskabased.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" alaskabased.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
alaskabased.exepid process 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe 4972 alaskabased.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exepid process 1968 b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exealaskabased.exedescription pid process target process PID 4764 wrote to memory of 1968 4764 b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe PID 4764 wrote to memory of 1968 4764 b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe PID 4764 wrote to memory of 1968 4764 b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe PID 5044 wrote to memory of 4972 5044 alaskabased.exe alaskabased.exe PID 5044 wrote to memory of 4972 5044 alaskabased.exe alaskabased.exe PID 5044 wrote to memory of 4972 5044 alaskabased.exe alaskabased.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe"C:\Users\Admin\AppData\Local\Temp\b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b6a03ef6505f465c895d0887c0479db9e2cdf7d391123a14c03b1af7dcb69594.exe--41c2bf6d2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\alaskabased.exe"C:\Windows\SysWOW64\alaskabased.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\alaskabased.exe--249754162⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1968-133-0x0000000000000000-mapping.dmp
-
memory/1968-136-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1968-137-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1968-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4764-132-0x0000000002030000-0x000000000204B000-memory.dmpFilesize
108KB
-
memory/4764-134-0x0000000002030000-0x000000000204B000-memory.dmpFilesize
108KB
-
memory/4764-135-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4972-139-0x0000000000000000-mapping.dmp
-
memory/4972-141-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4972-142-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5044-138-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB