Analysis
-
max time kernel
51s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:41
Behavioral task
behavioral1
Sample
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe
Resource
win10v2004-20221111-en
General
-
Target
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe
-
Size
2.5MB
-
MD5
a001612855d4a8ef91a81fcc04c78923
-
SHA1
852a3107921557748edd48175f5c14e9bd90d84a
-
SHA256
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b
-
SHA512
2dfdda74dff7a57d55ee36e9cc056f06410cc07bbd5f7bcf35efa525f1cc06108a9f3ad8015abe8e81cf8564b2b49ddc51568a1613673bf1f5e4f9d9f1091173
-
SSDEEP
49152:GoTnBCUzCLIB8whjke0k3+DNufQFbwBUreGDs1wa3zUprbFLKxvT1t+IE:GPowXD/2GreGDsPoRLKx3hE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe -
Processes:
resource yara_rule behavioral1/memory/1112-55-0x0000000000220000-0x000000000089F000-memory.dmp themida behavioral1/memory/1112-56-0x0000000000220000-0x000000000089F000-memory.dmp themida behavioral1/memory/1112-58-0x0000000000220000-0x000000000089F000-memory.dmp themida behavioral1/memory/1112-57-0x0000000000220000-0x000000000089F000-memory.dmp themida behavioral1/memory/1112-60-0x0000000000220000-0x000000000089F000-memory.dmp themida -
Processes:
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exepid process 1112 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.cfg rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.cfg\ = "cfg_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\cfg_auto_file\shell\open\command rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2020 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exepid process 1112 0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1032 wrote to memory of 2020 1032 rundll32.exe NOTEPAD.EXE PID 1032 wrote to memory of 2020 1032 rundll32.exe NOTEPAD.EXE PID 1032 wrote to memory of 2020 1032 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe"C:\Users\Admin\AppData\Local\Temp\0ecc20f2e5f96252997b16bf7b516a77b595bd480a050db2a6ca3b55eb56b53b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TestAdd.cfg1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TestAdd.cfg2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-62-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1112-55-0x0000000000220000-0x000000000089F000-memory.dmpFilesize
6.5MB
-
memory/1112-56-0x0000000000220000-0x000000000089F000-memory.dmpFilesize
6.5MB
-
memory/1112-58-0x0000000000220000-0x000000000089F000-memory.dmpFilesize
6.5MB
-
memory/1112-57-0x0000000000220000-0x000000000089F000-memory.dmpFilesize
6.5MB
-
memory/1112-59-0x0000000077160000-0x00000000772E0000-memory.dmpFilesize
1.5MB
-
memory/1112-60-0x0000000000220000-0x000000000089F000-memory.dmpFilesize
6.5MB
-
memory/1112-61-0x0000000077160000-0x00000000772E0000-memory.dmpFilesize
1.5MB
-
memory/2020-63-0x0000000000000000-mapping.dmp