Analysis
-
max time kernel
223s -
max time network
253s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:12
Behavioral task
behavioral1
Sample
ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe
Resource
win7-20220812-en
General
-
Target
ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe
-
Size
200KB
-
MD5
9d690127d647ba4d09d0ed689cac0453
-
SHA1
ab9cfc80609d094efbab60ff9afcb5d30d1435e6
-
SHA256
ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3
-
SHA512
6c1d230edb9acff06f8970febf64f05d747010feb06ae00c4c63f3bc2d6f97a2ae6547279ea040f338657d63e5430954f7d036c38271b52ffbcfc897f3da691f
-
SSDEEP
3072:XtF9bBJwMcZOz+GLRATw8dtCCLsoB0eQKqERRYmx9a+IuSxJI1CTlJo2xHiJ53Mr:JBROOztLRuwc5xRRBJ/1CTlJzA36Nsun
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
indexermfidl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 indexermfidl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE indexermfidl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies indexermfidl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 indexermfidl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
indexermfidl.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix indexermfidl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" indexermfidl.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" indexermfidl.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
indexermfidl.exepid process 4624 indexermfidl.exe 4624 indexermfidl.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exepid process 2056 ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exeindexermfidl.exedescription pid process target process PID 4308 wrote to memory of 2056 4308 ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe PID 4308 wrote to memory of 2056 4308 ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe PID 4308 wrote to memory of 2056 4308 ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe PID 5088 wrote to memory of 4624 5088 indexermfidl.exe indexermfidl.exe PID 5088 wrote to memory of 4624 5088 indexermfidl.exe indexermfidl.exe PID 5088 wrote to memory of 4624 5088 indexermfidl.exe indexermfidl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe"C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba309d71b27e294159587a0a02f25912a057294a6aca9dc384bc733b32c93cf3.exe--4539f4ff2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\indexermfidl.exe"C:\Windows\SysWOW64\indexermfidl.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\indexermfidl.exe--4745eccb2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2056-134-0x0000000000000000-mapping.dmp
-
memory/2056-137-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2056-138-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2056-142-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4308-133-0x00000000004B0000-0x00000000004CB000-memory.dmpFilesize
108KB
-
memory/4308-135-0x00000000004B0000-0x00000000004CB000-memory.dmpFilesize
108KB
-
memory/4308-136-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4624-140-0x0000000000000000-mapping.dmp
-
memory/4624-141-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4624-143-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/5088-139-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB