Analysis
-
max time kernel
127s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:14
Behavioral task
behavioral1
Sample
989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe
Resource
win7-20221111-en
General
-
Target
989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe
-
Size
138KB
-
MD5
c5d0ae675627de0a43f710eae9612549
-
SHA1
62b995c6dfe5500e02084cca30411362a0ab3ca5
-
SHA256
989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8
-
SHA512
fff07b8e1def5b2b2168447d4f8811d27944b259ddd406ce56b7e230db16ffa759f81e5ec2facc0618a3ffe84e7a2a26dfffe894f417e68c3e34d1ab0aac1313
-
SSDEEP
3072:3qrvRknb6sxBl0E+R+Bch+l5wJGVTa/pvfM7RCpGZ:a7RcZt9IF6uJkeEv
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
adttitle.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 adttitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE adttitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies adttitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 adttitle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
adttitle.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" adttitle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix adttitle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" adttitle.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
adttitle.exepid process 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe 4056 adttitle.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exepid process 5104 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exeadttitle.exedescription pid process target process PID 4996 wrote to memory of 5104 4996 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe PID 4996 wrote to memory of 5104 4996 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe PID 4996 wrote to memory of 5104 4996 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe 989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe PID 1920 wrote to memory of 4056 1920 adttitle.exe adttitle.exe PID 1920 wrote to memory of 4056 1920 adttitle.exe adttitle.exe PID 1920 wrote to memory of 4056 1920 adttitle.exe adttitle.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe"C:\Users\Admin\AppData\Local\Temp\989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\989cd7cd06b1de240a9b00cb2bced5bf736100e94d9adb63710d7493d229c3b8.exe--9e3099f72⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\adttitle.exe"C:\Windows\SysWOW64\adttitle.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\adttitle.exe--88c04b992⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4056-138-0x0000000000000000-mapping.dmp
-
memory/4056-140-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4056-141-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4996-132-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/4996-134-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/4996-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5104-133-0x0000000000000000-mapping.dmp
-
memory/5104-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/5104-137-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/5104-139-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB