Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 19:21
Static task
static1
Behavioral task
behavioral1
Sample
01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe
Resource
win7-20220901-en
General
-
Target
01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe
-
Size
122KB
-
MD5
699e79f6240a9edb393841bbff83e939
-
SHA1
2a0f31420c92fd5b603db742a332d9b916e74d45
-
SHA256
01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28
-
SHA512
67b66843d3006e46e9a90a84b89cdd6ca17944136b4b9881c504ff79c523e73cc7dfa43268e75bb34637aaafc56a4a24366a6a1054617b4a172a0cdf53ee0b1b
-
SSDEEP
3072:Xpe0SFTgkJNr/LJHD06mYG46MA5df+BC3K5eqyI:X80igkJJ/V06mR4P0K7yI
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
sortingportal.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sortingportal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sortingportal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sortingportal.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sortingportal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
sortingportal.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sortingportal.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sortingportal.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sortingportal.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
sortingportal.exepid process 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe 4824 sortingportal.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exepid process 1180 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exesortingportal.exedescription pid process target process PID 4740 wrote to memory of 1180 4740 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe PID 4740 wrote to memory of 1180 4740 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe PID 4740 wrote to memory of 1180 4740 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe 01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe PID 5024 wrote to memory of 4824 5024 sortingportal.exe sortingportal.exe PID 5024 wrote to memory of 4824 5024 sortingportal.exe sortingportal.exe PID 5024 wrote to memory of 4824 5024 sortingportal.exe sortingportal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe"C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01613e4009813b9c524e3a1c4b14ba35a5e1b382d0de721d0c627d9a20c4af28.exe--6c43f3cd2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\sortingportal.exe"C:\Windows\SysWOW64\sortingportal.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sortingportal.exe--63fca9262⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-132-0x0000000000000000-mapping.dmp
-
memory/1180-135-0x0000000000780000-0x0000000000791000-memory.dmpFilesize
68KB
-
memory/1180-136-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1180-138-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1180-141-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4740-133-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/4740-134-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4740-137-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4824-139-0x0000000000000000-mapping.dmp
-
memory/4824-142-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4824-143-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/5024-140-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB