Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 13:39

General

  • Target

    9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c.exe

  • Size

    59KB

  • MD5

    03c2cb1bd90746fde3cf01d95c60ffc3

  • SHA1

    7768a2b1ca029225859fc903ba241e85741a9ebb

  • SHA256

    9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c

  • SHA512

    9f7ad295ae85687f8e707263dd86d44c3180e54dc4e426f3e5f38fce1d7e349c4d32ac860852b6781592df2a8685e71549be93738ceb65a17a207a560329d689

  • SSDEEP

    1536:Y+1MKLlB0OcRIds0n7X+RzviRFmJUr1d/YYOVS4OFV:oKRB0vIm0bqeXmJmcAz

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 30 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c.exe
    "C:\Users\Admin\AppData\Local\Temp\9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\regedit.exe
      C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
      2⤵
      • Adds Run key to start application
      • Runs .reg file with regedit
      PID:4596
    • C:\Users\Admin\AppData\Local\Temp\9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c.exe
      C:\Users\Admin\AppData\Local\Temp\9dfe03868e7c446ecedc03dc79b77c34ee070cadeb1afa676345a9456e0cfd4c.exe
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\regedit.exe
        C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:3948

Network

  • flag-unknown
    DNS
    164.2.77.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    164.2.77.40.in-addr.arpa
    IN PTR
    Response
  • 20.42.73.25:443
    322 B
    7
  • 52.152.108.96:443
    260 B
    5
  • 8.8.8.8:53
    164.2.77.40.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    164.2.77.40.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\msscp.reg

    Filesize

    185B

    MD5

    d7b73041d7be52d03e44f61558f8505c

    SHA1

    e39021ea1eb81bf0fc60c33b07affe8b4078b25a

    SHA256

    0f944b298ab8f2484c6fabce5b7de1931fc3f502a743129c1af1790cd99d0bb8

    SHA512

    a8c125eddce391da04d942eb1d40547cffc512c1aa9c55b4e4e320dfb3144d372b28a26f855408cbf6f112ea60e6f5842f4b1ae1810e48d92c3a174c17015050

  • C:\Windows\SysWOW64\msscp.reg

    Filesize

    185B

    MD5

    d7b73041d7be52d03e44f61558f8505c

    SHA1

    e39021ea1eb81bf0fc60c33b07affe8b4078b25a

    SHA256

    0f944b298ab8f2484c6fabce5b7de1931fc3f502a743129c1af1790cd99d0bb8

    SHA512

    a8c125eddce391da04d942eb1d40547cffc512c1aa9c55b4e4e320dfb3144d372b28a26f855408cbf6f112ea60e6f5842f4b1ae1810e48d92c3a174c17015050

  • memory/2148-137-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2148-140-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2384-134-0x0000000000000000-mapping.dmp

  • memory/2384-138-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2384-139-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/3948-135-0x0000000000000000-mapping.dmp

  • memory/4596-132-0x0000000000000000-mapping.dmp

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.