Analysis
-
max time kernel
188s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe
Resource
win7-20221111-en
General
-
Target
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe
-
Size
437KB
-
MD5
de9cf724678389e4441be836c61847bc
-
SHA1
4359e2346a84476c563bd69ee471431f121e5b25
-
SHA256
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5
-
SHA512
13f6926fdaeb4d403d4189d6e92cdb2720f4bb2ab60681449c6d49557c3d288ae058571455611ca42fafd14bc2f7d7a07400b55f1e6a27bf6bcb42734590855b
-
SSDEEP
3072:Rpb5KYy7XCQW4rKMXxgT1urCd1o+RNLz1sqYaj8XJXJ92iCBWb:1FAKCxgAOXPRNLIaj8XMo
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
withouttuip.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE withouttuip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies withouttuip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 withouttuip.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 withouttuip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
withouttuip.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix withouttuip.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" withouttuip.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" withouttuip.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exewithouttuip.exewithouttuip.exepid process 4376 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 4376 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 4372 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 4372 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 528 withouttuip.exe 528 withouttuip.exe 4644 withouttuip.exe 4644 withouttuip.exe 4644 withouttuip.exe 4644 withouttuip.exe 4644 withouttuip.exe 4644 withouttuip.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exepid process 4372 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exewithouttuip.exedescription pid process target process PID 4376 wrote to memory of 4372 4376 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe PID 4376 wrote to memory of 4372 4376 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe PID 4376 wrote to memory of 4372 4376 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe 28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe PID 528 wrote to memory of 4644 528 withouttuip.exe withouttuip.exe PID 528 wrote to memory of 4644 528 withouttuip.exe withouttuip.exe PID 528 wrote to memory of 4644 528 withouttuip.exe withouttuip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe"C:\Users\Admin\AppData\Local\Temp\28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe"C:\Users\Admin\AppData\Local\Temp\28ab808ac948aa01d7b63cecaa3fc631905fbafa3aa1546cd1f4343f321df5c5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\withouttuip.exe"C:\Windows\SysWOW64\withouttuip.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\withouttuip.exe"C:\Windows\SysWOW64\withouttuip.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-139-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4372-133-0x0000000000000000-mapping.dmp
-
memory/4372-136-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4372-137-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4372-140-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4376-132-0x0000000000610000-0x0000000000622000-memory.dmpFilesize
72KB
-
memory/4376-134-0x0000000000610000-0x0000000000622000-memory.dmpFilesize
72KB
-
memory/4376-135-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4644-138-0x0000000000000000-mapping.dmp
-
memory/4644-141-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/4644-142-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB