1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f

Analysis

max time kernel
231s
max time network
253s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
Size

2.3MB
MD5

33e673305b1cf431aa86e6ce16040b32
SHA1

e95a85b0e5ba57791ca241ff89a20d4b3db8178c
SHA256

1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f
SHA512

0a4f8f30fc1689171ec8414d9a46e879a7c1cf84c7b5861ed254e19a2b5ddae233e61d956a096860a44ab5f25a53a1d8e2e1224ab5f9f9ef73e2ebdd32f49d24
SSDEEP

24576:7IHrb0Ru5af+udNS2INEQo+GK6kOklVBdzsmOgEH7lnbeTJ6eiJVFAJ2yvmkoJVy:82z+Z6+IkvhOJBdbc2yvASnGCCyvASN

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3276	taskkill.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k44888685"	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
Token: SeDebugPrivilege	4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3276	4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe	80
PID 4192 wrote to memory of 3276	4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe	80
PID 4192 wrote to memory of 3276	4192	1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe	80

C:\Users\Admin\AppData\Local\Temp\1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe
"C:\Users\Admin\AppData\Local\Temp\1f3f5f430dee53fa9d0d511f98d4dc683f79e66363027bf66335150e9284da9f.exe"
1⤵
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /DNF.exe.manifest
  2⤵
  - Kills process with taskkill
  PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3276-132-0x0000000000000000-mapping.dmp

Download