Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 18:21
Behavioral task
behavioral1
Sample
5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe
Resource
win7-20220901-en
General
-
Target
5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe
-
Size
139KB
-
MD5
a0305a77c02444357ef9b7e75eab4cf2
-
SHA1
c2624bbf3e4ac11defe87c906d1d117d6dd13448
-
SHA256
5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d
-
SHA512
8bfd8ee70f01560a12e14644997e34b4c25d0ad748fa4417c43930aaa935d3e4d298e4664b2089a8ef45a09e4051f1874df9669766e7b2b0dffcfb96b2de0f42
-
SSDEEP
3072:vKf26p04PgDvcLVonnjqP6R8pmg+dXVWRJDjZj7:vKu6pxxieP6AmvCDd/
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
sortingglue.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sortingglue.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sortingglue.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sortingglue.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sortingglue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
sortingglue.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sortingglue.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sortingglue.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sortingglue.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
sortingglue.exepid process 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe 2100 sortingglue.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exepid process 4876 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exesortingglue.exedescription pid process target process PID 4772 wrote to memory of 4876 4772 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe PID 4772 wrote to memory of 4876 4772 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe PID 4772 wrote to memory of 4876 4772 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe 5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe PID 1200 wrote to memory of 2100 1200 sortingglue.exe sortingglue.exe PID 1200 wrote to memory of 2100 1200 sortingglue.exe sortingglue.exe PID 1200 wrote to memory of 2100 1200 sortingglue.exe sortingglue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe"C:\Users\Admin\AppData\Local\Temp\5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5da488771253d92cef780635917ccaad602bf0ae9c61ca9ea4b5a4b01189700d.exe--67865eb62⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\sortingglue.exe"C:\Windows\SysWOW64\sortingglue.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sortingglue.exe--bdee6ecf2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2100-138-0x0000000000000000-mapping.dmp
-
memory/2100-140-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2100-141-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4772-132-0x0000000002160000-0x0000000002171000-memory.dmpFilesize
68KB
-
memory/4772-134-0x0000000002160000-0x0000000002171000-memory.dmpFilesize
68KB
-
memory/4772-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4876-133-0x0000000000000000-mapping.dmp
-
memory/4876-136-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4876-137-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4876-139-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB