Analysis
-
max time kernel
160s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:20
Static task
static1
Behavioral task
behavioral1
Sample
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
Resource
win7-20221111-en
General
-
Target
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe
-
Size
330KB
-
MD5
f9a727fbbc6daa67c7588a1b0e324f24
-
SHA1
1a11e9bfda0b8a800ee802d65dd14706eaa2a3d3
-
SHA256
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c
-
SHA512
fa8b820d6c264a5720a3297af8366801af35e5863ba4e9c1ada5a6e8ba78ac71cb366c0147119e1ed2302abb4b5e89a7918f16466f5174211643b05ae7e1960d
-
SSDEEP
3072:xd40HStXd+Yy7XCQW4rKMXxgT1uyIdxOnvluXMp3cKAArDZz4N9GhbkUNEkol:xd2dhAKCxgA3o9ucpxyN90vEf
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
enrolldaf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 enrolldaf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE enrolldaf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies enrolldaf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 enrolldaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
enrolldaf.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix enrolldaf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" enrolldaf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" enrolldaf.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeenrolldaf.exeenrolldaf.exepid process 1868 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 1868 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 1668 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 1668 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 4028 enrolldaf.exe 4028 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe 4292 enrolldaf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exepid process 1668 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exeenrolldaf.exedescription pid process target process PID 1868 wrote to memory of 1668 1868 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe PID 1868 wrote to memory of 1668 1868 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe PID 1868 wrote to memory of 1668 1868 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe 767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe PID 4028 wrote to memory of 4292 4028 enrolldaf.exe enrolldaf.exe PID 4028 wrote to memory of 4292 4028 enrolldaf.exe enrolldaf.exe PID 4028 wrote to memory of 4292 4028 enrolldaf.exe enrolldaf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"C:\Users\Admin\AppData\Local\Temp\767dfe11d3ea44701e77cc64b527ecb3a2452de27c707c3101b4d4cda1e98f4c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\enrolldaf.exe"C:\Windows\SysWOW64\enrolldaf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\enrolldaf.exe"C:\Windows\SysWOW64\enrolldaf.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1668-133-0x0000000000000000-mapping.dmp
-
memory/1668-136-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1668-137-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1668-141-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1868-132-0x00000000005F0000-0x0000000000602000-memory.dmpFilesize
72KB
-
memory/1868-135-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1868-134-0x00000000005F0000-0x0000000000602000-memory.dmpFilesize
72KB
-
memory/4028-139-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4292-138-0x0000000000000000-mapping.dmp
-
memory/4292-140-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4292-142-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB