Analysis
-
max time kernel
206s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
Resource
win7-20220901-en
General
-
Target
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
-
Size
108KB
-
MD5
98daa70ab692915a467779877727cf39
-
SHA1
dafb5dfb3eac517c342958404f99852e670b0fca
-
SHA256
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
-
SHA512
4bdc419df084ffa1366c05a14610f5ca210c0d42feb0e8318012bb263cf23202c10075258e8217ff3da1452942016651d2ca0df6d7e53df7d25fa78d13bd9e9b
-
SSDEEP
3072:W4x9Pri16G04TQhl7Z2382rlkTUbzsasOk8ljrxeFFEK4:W4XO1F01hlA8YlJAa5k8ljtL
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
drawcntl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE drawcntl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies drawcntl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 drawcntl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 drawcntl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
drawcntl.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix drawcntl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" drawcntl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" drawcntl.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
drawcntl.exepid process 4964 drawcntl.exe 4964 drawcntl.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exepid process 4264 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exedrawcntl.exedescription pid process target process PID 4848 wrote to memory of 4264 4848 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe PID 4848 wrote to memory of 4264 4848 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe PID 4848 wrote to memory of 4264 4848 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe PID 3088 wrote to memory of 4964 3088 drawcntl.exe drawcntl.exe PID 3088 wrote to memory of 4964 3088 drawcntl.exe drawcntl.exe PID 3088 wrote to memory of 4964 3088 drawcntl.exe drawcntl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe"C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe--a9ad73a82⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\drawcntl.exe"C:\Windows\SysWOW64\drawcntl.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\drawcntl.exe--51b8f1b92⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3088-138-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4264-133-0x0000000000000000-mapping.dmp
-
memory/4264-136-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4264-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4264-142-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4848-132-0x0000000000530000-0x0000000000540000-memory.dmpFilesize
64KB
-
memory/4848-134-0x0000000000530000-0x0000000000540000-memory.dmpFilesize
64KB
-
memory/4848-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4964-139-0x0000000000000000-mapping.dmp
-
memory/4964-140-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4964-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB