Analysis
-
max time kernel
133s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:31
Behavioral task
behavioral1
Sample
00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe
-
Size
200KB
-
MD5
15d17a1fba73676a99374b3580c4a1de
-
SHA1
ddde9f637a6c1b9c4d0cb1f31379abab490e06cf
-
SHA256
00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f
-
SHA512
4feb8eb9e0682d834ef9b59babc590e101f13e34a8a0cd316bc2db3e3b30ee61e5f6ca4f3698f698d8639235db27a33f8f702be9d657707029878bc2252598a0
-
SSDEEP
6144:lBROOztLRuwc5xRRBJ/1CTtSJzA36Nsuv:lBtix//0TtuE7uv
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
startedadmin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 startedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE startedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies startedadmin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 startedadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
startedadmin.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" startedadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix startedadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" startedadmin.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
startedadmin.exepid process 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe 2144 startedadmin.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exepid process 4892 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exestartedadmin.exedescription pid process target process PID 4840 wrote to memory of 4892 4840 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe PID 4840 wrote to memory of 4892 4840 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe PID 4840 wrote to memory of 4892 4840 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe 00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe PID 512 wrote to memory of 2144 512 startedadmin.exe startedadmin.exe PID 512 wrote to memory of 2144 512 startedadmin.exe startedadmin.exe PID 512 wrote to memory of 2144 512 startedadmin.exe startedadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe"C:\Users\Admin\AppData\Local\Temp\00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\00e19a87d7ac7411d79c40df1e4bfaea8d54a466ae0f06f328ecc88bc29d469f.exe--c0d8b2942⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\startedadmin.exe"C:\Windows\SysWOW64\startedadmin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\startedadmin.exe--fca6b4e02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2144-137-0x0000000000000000-mapping.dmp
-
memory/2144-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2144-140-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4840-132-0x00000000004B0000-0x00000000004CB000-memory.dmpFilesize
108KB
-
memory/4840-134-0x00000000004B0000-0x00000000004CB000-memory.dmpFilesize
108KB
-
memory/4840-135-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4892-133-0x0000000000000000-mapping.dmp
-
memory/4892-136-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4892-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB