Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:08
Static task
static1
Behavioral task
behavioral1
Sample
1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
Resource
win7-20220812-en
General
-
Target
1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe
-
Size
150KB
-
MD5
49d1ea956c9865f9356e14c145ef652e
-
SHA1
c046935baf11e19bebecc5cf3998ef3d60f52067
-
SHA256
1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1
-
SHA512
18743a61bf325df3ca45416a70e8a4e6fda751de92e2cb65550223e77be0bcbc24e6cf92ac3d1b61025e7c69b4825fb2f57abd5aadbe232fb5bc272dbfde9bd0
-
SSDEEP
3072:Bx9PrNoQSsdBb74jipqV7SDRRb79X1yGZYDpZ:BXpoHMnAVuDRRbx0GiZ
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
netservratings.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 netservratings.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE netservratings.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies netservratings.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 netservratings.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
netservratings.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix netservratings.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" netservratings.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" netservratings.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
netservratings.exepid process 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe 2984 netservratings.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exepid process 2172 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exenetservratings.exedescription pid process target process PID 2372 wrote to memory of 2172 2372 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe PID 2372 wrote to memory of 2172 2372 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe PID 2372 wrote to memory of 2172 2372 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe PID 4084 wrote to memory of 2984 4084 netservratings.exe netservratings.exe PID 4084 wrote to memory of 2984 4084 netservratings.exe netservratings.exe PID 4084 wrote to memory of 2984 4084 netservratings.exe netservratings.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe"C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1.exe--d256853c2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\netservratings.exe"C:\Windows\SysWOW64\netservratings.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netservratings.exe--b4c799b52⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2172-133-0x0000000000000000-mapping.dmp
-
memory/2172-136-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2172-137-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2172-139-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2372-132-0x00000000005C0000-0x00000000005D0000-memory.dmpFilesize
64KB
-
memory/2372-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2372-134-0x00000000005C0000-0x00000000005D0000-memory.dmpFilesize
64KB
-
memory/2984-138-0x0000000000000000-mapping.dmp
-
memory/2984-140-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2984-141-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB