Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:13
Behavioral task
behavioral1
Sample
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
Resource
win10v2004-20221111-en
General
-
Target
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
-
Size
233KB
-
MD5
ec4c70f038832769278a1a94ed8fb44e
-
SHA1
3e01f1609f1e9edd0ec9ddc874aad4d830fcec13
-
SHA256
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0
-
SHA512
ae137caea7739f8c4b224b98db719ae4f2858e945f554ee8ddecec7212f2c711af0a99d9f9728a49333e8f99b4b0f9791fa5c0ab8f380788e18f7cebab4ca3cb
-
SSDEEP
3072:4JGbF2ny0ViOfTOp3ORLYkGQXOa+8ZpDySU7fqMvUC1XAEuwkil0WtapmOgC9RPj:/MnyK/TTZEhvUCh0iIpVRPbkZ9rVBM
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
mouseradar.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mouseradar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mouseradar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mouseradar.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mouseradar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
mouseradar.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mouseradar.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mouseradar.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mouseradar.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
mouseradar.exepid process 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe 3168 mouseradar.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exepid process 4988 aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exemouseradar.exedescription pid process target process PID 5092 wrote to memory of 4988 5092 aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe PID 5092 wrote to memory of 4988 5092 aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe PID 5092 wrote to memory of 4988 5092 aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe PID 2548 wrote to memory of 3168 2548 mouseradar.exe mouseradar.exe PID 2548 wrote to memory of 3168 2548 mouseradar.exe mouseradar.exe PID 2548 wrote to memory of 3168 2548 mouseradar.exe mouseradar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe"C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe--bcc5c36e2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\mouseradar.exe"C:\Windows\SysWOW64\mouseradar.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mouseradar.exe--58db9cf32⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3168-137-0x0000000000000000-mapping.dmp
-
memory/3168-139-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3168-140-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4988-132-0x0000000000000000-mapping.dmp
-
memory/4988-135-0x0000000000550000-0x000000000056B000-memory.dmpFilesize
108KB
-
memory/4988-136-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/4988-138-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5092-133-0x0000000000580000-0x000000000059B000-memory.dmpFilesize
108KB
-
memory/5092-134-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB