Analysis
-
max time kernel
200s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:09
Behavioral task
behavioral1
Sample
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe
Resource
win10v2004-20221111-en
General
-
Target
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe
-
Size
183KB
-
MD5
084fcbe7b1b973ba4b175455d6d9b55b
-
SHA1
4490bcf62c754a464b2acd6682fa495028c0b2c6
-
SHA256
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece
-
SHA512
1b4a7ca4adf94d06e8e8625c700c8451fdea1fb0e684f9b4ed58e26346abf5363432108d9d3c99dd07c307366ea30f8a7502809395e1e10b90119fa46efa98c7
-
SSDEEP
3072:NV+PrAn3UAwpBFPbSbl8ZVcuGdrpWoWxiKJOXx2Q0mIOH0ZPvfdONt7T0Wf6B56K:EME7pTOMkJqiK4Bfc3MNZUPWrm
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
detectform.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies detectform.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 detectform.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 detectform.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE detectform.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
detectform.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix detectform.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" detectform.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" detectform.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
detectform.exepid process 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe 4432 detectform.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exepid process 2232 cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exedetectform.exedescription pid process target process PID 1196 wrote to memory of 2232 1196 cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe PID 1196 wrote to memory of 2232 1196 cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe PID 1196 wrote to memory of 2232 1196 cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe PID 2976 wrote to memory of 4432 2976 detectform.exe detectform.exe PID 2976 wrote to memory of 4432 2976 detectform.exe detectform.exe PID 2976 wrote to memory of 4432 2976 detectform.exe detectform.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe"C:\Users\Admin\AppData\Local\Temp\cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cdc00024488a64562b75ff25c45971a9b795bada45f9507cd3945e5a18a81ece.exe--b09c651a2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\detectform.exe"C:\Windows\SysWOW64\detectform.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\detectform.exe--779db7d92⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-132-0x0000000002160000-0x000000000217B000-memory.dmpFilesize
108KB
-
memory/1196-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2232-133-0x0000000000000000-mapping.dmp
-
memory/2232-135-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2232-136-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2232-140-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2976-137-0x0000000000CF0000-0x0000000000D0B000-memory.dmpFilesize
108KB
-
memory/2976-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4432-139-0x0000000000000000-mapping.dmp
-
memory/4432-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4432-142-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB