Analysis
-
max time kernel
151s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe
Resource
win7-20220812-en
General
-
Target
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe
-
Size
220KB
-
MD5
66af1323084d8a85acfed88938411a66
-
SHA1
d7d36e66333b281bf870dedb54fa4061013b190c
-
SHA256
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb
-
SHA512
aeb6c03a388e84bfe63c63b13837c8902e780cfcd56aed8bb63aff6c40122f4b48081c6a4400977ca46b6ab3220afcc98e1448b5229ebf4134e0610c3c5b72b7
-
SSDEEP
3072:V5X8Hk2GgrQCz+VGUbqPM902yHydVi0Cy3pCdu6IqVZFBF:jX8E29z+VGUQM9UHQLCy3pCddh5
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
uuidgenstarted.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies uuidgenstarted.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 uuidgenstarted.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 uuidgenstarted.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE uuidgenstarted.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
uuidgenstarted.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" uuidgenstarted.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" uuidgenstarted.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix uuidgenstarted.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exeuuidgenstarted.exeuuidgenstarted.exepid process 4928 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 4928 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 4900 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 4900 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 4496 uuidgenstarted.exe 4496 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe 4488 uuidgenstarted.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exepid process 4900 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exeuuidgenstarted.exedescription pid process target process PID 4928 wrote to memory of 4900 4928 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe PID 4928 wrote to memory of 4900 4928 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe PID 4928 wrote to memory of 4900 4928 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe 2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe PID 4496 wrote to memory of 4488 4496 uuidgenstarted.exe uuidgenstarted.exe PID 4496 wrote to memory of 4488 4496 uuidgenstarted.exe uuidgenstarted.exe PID 4496 wrote to memory of 4488 4496 uuidgenstarted.exe uuidgenstarted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe"C:\Users\Admin\AppData\Local\Temp\2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe"C:\Users\Admin\AppData\Local\Temp\2d377b9e72ef2f1984a219e44a6b79066d9b66dfaa3e645c17b09119efab85cb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\uuidgenstarted.exe"C:\Windows\SysWOW64\uuidgenstarted.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uuidgenstarted.exe"C:\Windows\SysWOW64\uuidgenstarted.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4488-139-0x0000000000000000-mapping.dmp
-
memory/4488-141-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4488-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4496-140-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4900-133-0x0000000000000000-mapping.dmp
-
memory/4900-137-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4900-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4900-143-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4928-132-0x0000000000580000-0x0000000000595000-memory.dmpFilesize
84KB
-
memory/4928-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4928-135-0x0000000000580000-0x0000000000595000-memory.dmpFilesize
84KB
-
memory/4928-136-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB