959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
Size

695KB
MD5

3e62838a510a91c9f34d0943dc40eecd
SHA1

a9661689901c92185b1783bd5b31cbbf627adc7f
SHA256

959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939
SHA512

7ab256b5a66c53700a3e576ec5b87f52ba96f94b7951c3d82e0e5226b854b3d1f85903c254b463d642a9044142c01a82fb5ae43a510aba2c17379423d38a38dd
SSDEEP

12288:mi+ETezCHQkZPhprhmH6ukWAljnQlnl2OdpbxZDmRmFaZ:miQsFhBhmAWAdnQxlfj6YaZ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.693.cc/"	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
684	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3048	4900	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	81
PID 4900 wrote to memory of 3048	4900	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	81
PID 4900 wrote to memory of 3048	4900	959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe	81
PID 3048 wrote to memory of 684	3048	cmd.exe	83
PID 3048 wrote to memory of 684	3048	cmd.exe	83
PID 3048 wrote to memory of 684	3048	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe
"C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\Users\Admin\AppData\Local\Temp\959dfe4f36c8d1f67be367835e2035160e20f967d0d1f8589016723a7be7d939.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-133-0x0000000000000000-mapping.dmp

Download
memory/3048-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads