Analysis
-
max time kernel
215s -
max time network
223s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:46
Behavioral task
behavioral1
Sample
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
Resource
win7-20220812-en
General
-
Target
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe
-
Size
108KB
-
MD5
c8bd995346f61308e200199c7e041b3c
-
SHA1
46a39c9425bff794916493459f8bffd9e6915af4
-
SHA256
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f
-
SHA512
9f820d527a5b05d8003d3350ef2428f6d956ec63b42f3d9097df9989f1d1a219841ebe4959eb75c7cc3ab9e36dbebab0e32d9cfc49c114bfc2d7a30373124755
-
SSDEEP
3072:FCrRG9LgWHyMp6awrpEoNLna7TpP7N5LtgxH:FCrskJaYvn+PdgB
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
portalbears.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 portalbears.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE portalbears.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies portalbears.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 portalbears.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
portalbears.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" portalbears.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix portalbears.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" portalbears.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
portalbears.exepid process 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe 4624 portalbears.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exepid process 4792 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exeportalbears.exedescription pid process target process PID 4864 wrote to memory of 4792 4864 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe PID 4864 wrote to memory of 4792 4864 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe PID 4864 wrote to memory of 4792 4864 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe 9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe PID 1712 wrote to memory of 4624 1712 portalbears.exe portalbears.exe PID 1712 wrote to memory of 4624 1712 portalbears.exe portalbears.exe PID 1712 wrote to memory of 4624 1712 portalbears.exe portalbears.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe"C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9635c10648c4dccb9c9de1260429441a6936fcbd0f7eb16c4c149adc5888a32f.exe--167b55512⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\portalbears.exe"C:\Windows\SysWOW64\portalbears.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\portalbears.exe--f0f2e092⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-138-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4624-139-0x0000000000000000-mapping.dmp
-
memory/4624-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4624-142-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4792-133-0x0000000000000000-mapping.dmp
-
memory/4792-136-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4792-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4792-140-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4864-132-0x00000000004E0000-0x00000000004F1000-memory.dmpFilesize
68KB
-
memory/4864-134-0x00000000004E0000-0x00000000004F1000-memory.dmpFilesize
68KB
-
memory/4864-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB