Analysis
-
max time kernel
147s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 18:04
Static task
static1
Behavioral task
behavioral1
Sample
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe
Resource
win7-20221111-en
General
-
Target
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe
-
Size
330KB
-
MD5
75625e1ddb43b3a50722b94b02c96605
-
SHA1
a6f87e059e0d66c3b259d2ec2447ff771e908641
-
SHA256
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04
-
SHA512
5ea684a65f8ba23810ab81078ed6c23c43be6590dc462a62f3581224c48dac600154af446fdedeaf98866028a9f490add55aa007bc2232b0a9c3b72e4f927b62
-
SSDEEP
3072:gd40HStXdZYy7XCQW4rKMXxgT1urCdxOnvluXMp3cKAArDZz4N9GhbkUNEkoA:gd2dyAKCxgAOo9ucpxyN90vEi
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
detectuuidgen.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat detectuuidgen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
detectuuidgen.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C}\WpadDecision = "0" detectuuidgen.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b0-ae-a9-cb-d4\WpadDecision = "0" detectuuidgen.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 detectuuidgen.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" detectuuidgen.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b0-ae-a9-cb-d4 detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections detectuuidgen.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" detectuuidgen.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings detectuuidgen.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C}\WpadDecisionTime = 501566ca7e06d901 detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C}\ae-b0-ae-a9-cb-d4 detectuuidgen.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b0-ae-a9-cb-d4\WpadDecisionTime = 501566ca7e06d901 detectuuidgen.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 detectuuidgen.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C} detectuuidgen.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C}\WpadDecisionReason = "1" detectuuidgen.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{296AE674-129F-49C2-ABA9-B4DF2F53302C}\WpadNetworkName = "Network 2" detectuuidgen.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b0-ae-a9-cb-d4\WpadDecisionReason = "1" detectuuidgen.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings detectuuidgen.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exedetectuuidgen.exedetectuuidgen.exepid process 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 2028 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 668 detectuuidgen.exe 432 detectuuidgen.exe 432 detectuuidgen.exe 432 detectuuidgen.exe 432 detectuuidgen.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exepid process 2028 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exedetectuuidgen.exedetectuuidgen.exepid process 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 2028 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 668 detectuuidgen.exe 432 detectuuidgen.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exedetectuuidgen.exedescription pid process target process PID 1404 wrote to memory of 2028 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe PID 1404 wrote to memory of 2028 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe PID 1404 wrote to memory of 2028 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe PID 1404 wrote to memory of 2028 1404 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe 67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe PID 668 wrote to memory of 432 668 detectuuidgen.exe detectuuidgen.exe PID 668 wrote to memory of 432 668 detectuuidgen.exe detectuuidgen.exe PID 668 wrote to memory of 432 668 detectuuidgen.exe detectuuidgen.exe PID 668 wrote to memory of 432 668 detectuuidgen.exe detectuuidgen.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe"C:\Users\Admin\AppData\Local\Temp\67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe"C:\Users\Admin\AppData\Local\Temp\67d99da01575a87849ecd4bfa4c80ba0610ca0a7c88ceb907a701a309fd6fc04.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\detectuuidgen.exe"C:\Windows\SysWOW64\detectuuidgen.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\detectuuidgen.exe"C:\Windows\SysWOW64\detectuuidgen.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-60-0x0000000000000000-mapping.dmp
-
memory/432-62-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/432-64-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1404-54-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/1404-56-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/1404-57-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2028-55-0x0000000000000000-mapping.dmp
-
memory/2028-58-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2028-59-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/2028-61-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB