Analysis
-
max time kernel
185s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 06:38
Static task
static1
Behavioral task
behavioral1
Sample
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe
Resource
win10v2004-20220812-en
General
-
Target
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe
-
Size
844KB
-
MD5
c06ec00914836f74acb11a22b5ebe82c
-
SHA1
a941b3241d79245b35a092059a398cac11f5aa5f
-
SHA256
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74
-
SHA512
e4f6c1c4f36439058f7e86c262b2c383cffda0a2443f5c9cb7a23232b790cf30b508a22337bb1215f279aac3eaf383a44605b46048f004b7978e5a4d7219c003
-
SSDEEP
12288:sqejXb3FnOyyoeNJ2S98aR+G0TqEdaNahcbbfcRrRtzPyY7Eu+uEsQs8aXe6fWM:sqejooeHgTqEINwCXY7Eu+bsQs84eY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
isecurity.exepid process 1568 isecurity.exe -
Loads dropped DLL 3 IoCs
Processes:
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exepid process 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
isecurity.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run isecurity.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\isecurity.exe" isecurity.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
isecurity.exedescription ioc process File opened (read-only) \??\K: isecurity.exe File opened (read-only) \??\O: isecurity.exe File opened (read-only) \??\U: isecurity.exe File opened (read-only) \??\X: isecurity.exe File opened (read-only) \??\E: isecurity.exe File opened (read-only) \??\H: isecurity.exe File opened (read-only) \??\N: isecurity.exe File opened (read-only) \??\S: isecurity.exe File opened (read-only) \??\V: isecurity.exe File opened (read-only) \??\F: isecurity.exe File opened (read-only) \??\J: isecurity.exe File opened (read-only) \??\L: isecurity.exe File opened (read-only) \??\T: isecurity.exe File opened (read-only) \??\Y: isecurity.exe File opened (read-only) \??\Z: isecurity.exe File opened (read-only) \??\I: isecurity.exe File opened (read-only) \??\M: isecurity.exe File opened (read-only) \??\P: isecurity.exe File opened (read-only) \??\Q: isecurity.exe File opened (read-only) \??\R: isecurity.exe File opened (read-only) \??\W: isecurity.exe File opened (read-only) \??\G: isecurity.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
isecurity.exedescription ioc process File opened for modification \??\PhysicalDrive0 isecurity.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exeisecurity.exepid process 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exepid process 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
isecurity.exepid process 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
isecurity.exepid process 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe 1568 isecurity.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
isecurity.exepid process 1568 isecurity.exe 1568 isecurity.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exedescription pid process target process PID 1108 wrote to memory of 1568 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe isecurity.exe PID 1108 wrote to memory of 1568 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe isecurity.exe PID 1108 wrote to memory of 1568 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe isecurity.exe PID 1108 wrote to memory of 1568 1108 c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe isecurity.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe"C:\Users\Admin\AppData\Local\Temp\c3c4b87a6ffb4ca6be623f0c3c8af2b4f8779443e07f4d87a5d4431fdeea2f74.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\isecurity.exeC:\ProgramData\isecurity.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\isecurity.exeFilesize
838KB
MD5d4ce7134dd124172149a8bbfc93786e8
SHA15e52177f5f7e71467bafad2b48aef2e57729f017
SHA2564cb03bc097d55ec09fe97a287e03a8f0ba186a301e7875ff48f7a50dd46f4d36
SHA51201b07c541ccc0ad16b32e6e09e17f20be2f8c24f1c5d4d9d7037cdbb5cc8dc123b53748a58fd2f10cd7dd4f0f3f13454edd12eca4ef5dee9ee67222433fab903
-
\ProgramData\isecurity.exeFilesize
838KB
MD5d4ce7134dd124172149a8bbfc93786e8
SHA15e52177f5f7e71467bafad2b48aef2e57729f017
SHA2564cb03bc097d55ec09fe97a287e03a8f0ba186a301e7875ff48f7a50dd46f4d36
SHA51201b07c541ccc0ad16b32e6e09e17f20be2f8c24f1c5d4d9d7037cdbb5cc8dc123b53748a58fd2f10cd7dd4f0f3f13454edd12eca4ef5dee9ee67222433fab903
-
\ProgramData\isecurity.exeFilesize
838KB
MD5d4ce7134dd124172149a8bbfc93786e8
SHA15e52177f5f7e71467bafad2b48aef2e57729f017
SHA2564cb03bc097d55ec09fe97a287e03a8f0ba186a301e7875ff48f7a50dd46f4d36
SHA51201b07c541ccc0ad16b32e6e09e17f20be2f8c24f1c5d4d9d7037cdbb5cc8dc123b53748a58fd2f10cd7dd4f0f3f13454edd12eca4ef5dee9ee67222433fab903
-
\ProgramData\isecurity.exeFilesize
838KB
MD5d4ce7134dd124172149a8bbfc93786e8
SHA15e52177f5f7e71467bafad2b48aef2e57729f017
SHA2564cb03bc097d55ec09fe97a287e03a8f0ba186a301e7875ff48f7a50dd46f4d36
SHA51201b07c541ccc0ad16b32e6e09e17f20be2f8c24f1c5d4d9d7037cdbb5cc8dc123b53748a58fd2f10cd7dd4f0f3f13454edd12eca4ef5dee9ee67222433fab903
-
memory/1108-54-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1108-55-0x0000000000400000-0x0000000000504000-memory.dmpFilesize
1.0MB
-
memory/1568-59-0x0000000000000000-mapping.dmp
-
memory/1568-62-0x0000000000400000-0x0000000000A3B000-memory.dmpFilesize
6.2MB
-
memory/1568-64-0x0000000000400000-0x0000000000A3B000-memory.dmpFilesize
6.2MB
-
memory/1568-65-0x0000000000400000-0x0000000000A3B000-memory.dmpFilesize
6.2MB