Analysis
-
max time kernel
137s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:29
Behavioral task
behavioral1
Sample
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe
-
Size
144KB
-
MD5
c9d8a1567baec7320f844d6415560ae5
-
SHA1
9adf3ba3b223a7c2ed10b68b7df74b150137b400
-
SHA256
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689
-
SHA512
f7b93cbd8694f0536a3b45c4f9164543ca5e3f178aa3281e5470f4ce9809fcb2a8aa6df1118f1e6d70f7172b38fe4226dfd4d68f35ff17fc07a6599aba44d9d7
-
SSDEEP
3072:bltrbkFEEqOWYnLdLfD/g5fVVqZZ5lYkj:bvwFEEqPYnLtf74DqZ+0
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
relatedmatrix.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 relatedmatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE relatedmatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies relatedmatrix.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 relatedmatrix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
relatedmatrix.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix relatedmatrix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" relatedmatrix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" relatedmatrix.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
relatedmatrix.exepid process 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe 4880 relatedmatrix.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exepid process 1840 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exerelatedmatrix.exedescription pid process target process PID 3796 wrote to memory of 1840 3796 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe PID 3796 wrote to memory of 1840 3796 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe PID 3796 wrote to memory of 1840 3796 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe 84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe PID 4940 wrote to memory of 4880 4940 relatedmatrix.exe relatedmatrix.exe PID 4940 wrote to memory of 4880 4940 relatedmatrix.exe relatedmatrix.exe PID 4940 wrote to memory of 4880 4940 relatedmatrix.exe relatedmatrix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe"C:\Users\Admin\AppData\Local\Temp\84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\84591c3c2509d1a20f9a528545f4ad25b6a647618ea71f5dd79617e157040689.exe--8e2abc7a2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\relatedmatrix.exe"C:\Windows\SysWOW64\relatedmatrix.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\relatedmatrix.exe--231706822⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1840-133-0x0000000000000000-mapping.dmp
-
memory/1840-136-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1840-138-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3796-132-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/3796-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3796-134-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/4880-137-0x0000000000000000-mapping.dmp
-
memory/4880-139-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4880-140-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB