Analysis
-
max time kernel
197s -
max time network
245s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 18:12
Behavioral task
behavioral1
Sample
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe
Resource
win7-20221111-en
General
-
Target
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe
-
Size
139KB
-
MD5
db15cdcdc91ea152ee91fc39a0b5c783
-
SHA1
fcce4020bc8deb215dcc32439a92d0525cb479ed
-
SHA256
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496
-
SHA512
0bba6c36cd4653ca1e0928fefd02efd2ae63b0960ec6c22c500900329cf9b3a744bc75ef819bd7e30d2d8d133e362030990499de7922fc8466b838b1b4b431f4
-
SSDEEP
3072:526p04PgDvcLVonnjqP6R8VmgWieXVWRNtY8nA5Xpi:U6pxxieP60mBiheZi
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
unpackslide.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat unpackslide.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
unpackslide.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings unpackslide.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadDecisionReason = "1" unpackslide.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadDecisionTime = d0f4a2221634d901 unpackslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadNetworkName = "Network 2" unpackslide.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecisionTime = d0f4a2221634d901 unpackslide.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecision = "0" unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections unpackslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" unpackslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\ba-84-69-8c-52-5a unpackslide.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unpackslide.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix unpackslide.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" unpackslide.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unpackslide.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0038000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C} unpackslide.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecisionReason = "1" unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad unpackslide.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadDecision = "0" unpackslide.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a unpackslide.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
unpackslide.exepid process 432 unpackslide.exe 432 unpackslide.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exepid process 620 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exeb084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exeunpackslide.exeunpackslide.exepid process 1600 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe 620 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe 1116 unpackslide.exe 432 unpackslide.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exeunpackslide.exedescription pid process target process PID 1600 wrote to memory of 620 1600 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe PID 1600 wrote to memory of 620 1600 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe PID 1600 wrote to memory of 620 1600 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe PID 1600 wrote to memory of 620 1600 b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe PID 1116 wrote to memory of 432 1116 unpackslide.exe unpackslide.exe PID 1116 wrote to memory of 432 1116 unpackslide.exe unpackslide.exe PID 1116 wrote to memory of 432 1116 unpackslide.exe unpackslide.exe PID 1116 wrote to memory of 432 1116 unpackslide.exe unpackslide.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe"C:\Users\Admin\AppData\Local\Temp\b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496.exe--793c3fe92⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\unpackslide.exe"C:\Windows\SysWOW64\unpackslide.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unpackslide.exe--f8628eb52⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-60-0x0000000000000000-mapping.dmp
-
memory/432-62-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/432-63-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/620-54-0x0000000000000000-mapping.dmp
-
memory/620-57-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/620-58-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/620-59-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/620-61-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1600-55-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/1600-56-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB