Analysis
-
max time kernel
202s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:14
Behavioral task
behavioral1
Sample
5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe
Resource
win7-20221111-en
General
-
Target
5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe
-
Size
201KB
-
MD5
bf0193002825f240df1b2428ea2965bb
-
SHA1
749f91ed92d6e5bb0180fc75743f379828ff3ff1
-
SHA256
5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b
-
SHA512
2030903298ed1f8e2fb407ca2694f92af47daaceea8e93a183d0dbfea2c0a84e2eec32781f4b850c52c05cd531c601c02c2fcc26ada2cc13ad85888a3da39fe6
-
SSDEEP
3072:NDSXf2ro/JcXsFptLu3GIPkqu8J27A76NY364QbfvTkCXVW4wFm2jZqMNeNf:NDef2roRc+1uFP9/J27A76yQbfvSJvEf
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
tmpldetect.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 tmpldetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE tmpldetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies tmpldetect.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 tmpldetect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
tmpldetect.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix tmpldetect.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" tmpldetect.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" tmpldetect.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
tmpldetect.exepid process 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe 3564 tmpldetect.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exepid process 2364 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exetmpldetect.exedescription pid process target process PID 3132 wrote to memory of 2364 3132 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe PID 3132 wrote to memory of 2364 3132 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe PID 3132 wrote to memory of 2364 3132 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe 5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe PID 3116 wrote to memory of 3564 3116 tmpldetect.exe tmpldetect.exe PID 3116 wrote to memory of 3564 3116 tmpldetect.exe tmpldetect.exe PID 3116 wrote to memory of 3564 3116 tmpldetect.exe tmpldetect.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe"C:\Users\Admin\AppData\Local\Temp\5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5ba3813043b9f35c82e07f8450a2bd266c28faee36fc47ff2c940b94a9849d7b.exe--99721d402⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\tmpldetect.exe"C:\Windows\SysWOW64\tmpldetect.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tmpldetect.exe--c9c154a2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2364-132-0x0000000000000000-mapping.dmp
-
memory/2364-135-0x00000000005A0000-0x00000000005BB000-memory.dmpFilesize
108KB
-
memory/2364-136-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2364-137-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2364-139-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3132-133-0x0000000000500000-0x000000000051B000-memory.dmpFilesize
108KB
-
memory/3132-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3564-138-0x0000000000000000-mapping.dmp
-
memory/3564-140-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3564-141-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB