Analysis
-
max time kernel
152s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 19:21
Static task
static1
Behavioral task
behavioral1
Sample
55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
Resource
win7-20221111-en
General
-
Target
55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe
-
Size
134KB
-
MD5
ac4988df4640960f91201063930b8e9a
-
SHA1
f9b037e8744390170cb0aba551890662711af928
-
SHA256
55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57
-
SHA512
f43e2a33418a74a6668aecf6020aaaa9eed7cea470fc6ad872faad489b323cf4d037f7b7d20d0590a0ec5a8f7af2e870fe459ccb5b332f70fa33a33590c438fe
-
SSDEEP
3072:pAAxt4uylSM0zijiK6Y4wQ1oP3i9AFPdXdZ47AhmXYb0g:9v4uylSkjiKV4w9P3i9A3Xj/hl
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
cbssource.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 cbssource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE cbssource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies cbssource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 cbssource.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
cbssource.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix cbssource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cbssource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cbssource.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cbssource.exepid process 3480 cbssource.exe 3480 cbssource.exe 3480 cbssource.exe 3480 cbssource.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exepid process 1532 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.execbssource.exedescription pid process target process PID 2292 wrote to memory of 1532 2292 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe PID 2292 wrote to memory of 1532 2292 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe PID 2292 wrote to memory of 1532 2292 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe 55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe PID 3436 wrote to memory of 3480 3436 cbssource.exe cbssource.exe PID 3436 wrote to memory of 3480 3436 cbssource.exe cbssource.exe PID 3436 wrote to memory of 3480 3436 cbssource.exe cbssource.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe"C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55073efe1efc561f5355ef68cbe011074ab198c5e4e52fb30e48ac62f64b1a57.exe--a90dac0d2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\cbssource.exe"C:\Windows\SysWOW64\cbssource.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cbssource.exe--57b388652⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-134-0x0000000000000000-mapping.dmp
-
memory/1532-136-0x00000000004A0000-0x00000000004BB000-memory.dmpFilesize
108KB
-
memory/1532-137-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1532-138-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1532-141-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2292-132-0x00000000005D0000-0x00000000005EB000-memory.dmpFilesize
108KB
-
memory/2292-133-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2292-135-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3436-139-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3480-140-0x0000000000000000-mapping.dmp
-
memory/3480-142-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3480-143-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB