aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
Size

233KB
MD5

ec4c70f038832769278a1a94ed8fb44e
SHA1

3e01f1609f1e9edd0ec9ddc874aad4d830fcec13
SHA256

aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0
SHA512

ae137caea7739f8c4b224b98db719ae4f2858e945f554ee8ddecec7212f2c711af0a99d9f9728a49333e8f99b4b0f9791fa5c0ab8f380788e18f7cebab4ca3cb
SSDEEP

3072:4JGbF2ny0ViOfTOp3ORLYkGQXOa+8ZpDySU7fqMvUC1XAEuwkil0WtapmOgC9RPj:/MnyK/TTZEhvUCh0iIpVRPbkZ9rVBM

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

Processes:

mouseradar.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mouseradar.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mouseradar.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mouseradar.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mouseradar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

mouseradar.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mouseradar.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mouseradar.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mouseradar.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

mouseradar.exe

pid	process
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe
3168	mouseradar.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe

pid process

4988 aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe

pid	process
4988	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exemouseradar.exe

description	pid	process	target process
PID 5092 wrote to memory of 4988	5092	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
PID 5092 wrote to memory of 4988	5092	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
PID 5092 wrote to memory of 4988	5092	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe	aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
PID 2548 wrote to memory of 3168	2548	mouseradar.exe	mouseradar.exe
PID 2548 wrote to memory of 3168	2548	mouseradar.exe	mouseradar.exe
PID 2548 wrote to memory of 3168	2548	mouseradar.exe	mouseradar.exe

C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
"C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\aaf1535f58bb803f3bf3fcab509cd982c16b230b9e15485424f16fce62fe7ed0.exe
--bcc5c36e
2⤵
- Suspicious behavior: RenamesItself
PID:4988

C:\Windows\SysWOW64\mouseradar.exe
"C:\Windows\SysWOW64\mouseradar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\mouseradar.exe
--58db9cf3
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-137-0x0000000000000000-mapping.dmp

Download
memory/3168-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3168-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4988-132-0x0000000000000000-mapping.dmp

Download
memory/4988-135-0x0000000000550000-0x000000000056B000-memory.dmp

Filesize
108KB

Download
memory/4988-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4988-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5092-133-0x0000000000580000-0x000000000059B000-memory.dmp

Filesize
108KB

Download
memory/5092-134-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download