Resubmissions
06-03-2023 14:33
230306-rw9qpscg76 1006-03-2023 14:32
230306-rwm7pscg72 106-03-2023 14:24
230306-rq2g5scg48 10Analysis
-
max time kernel
151s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06-03-2023 14:24
Static task
static1
Behavioral task
behavioral1
Sample
windows.exe
Resource
win10-20230220-en
General
-
Target
windows.exe
-
Size
9.8MB
-
MD5
f8ceee79a7b323a7683a46f1c7636ad3
-
SHA1
8fe53a9600d1eb1e6789989d214480fa21711f31
-
SHA256
cbe35fed4367bc69d7ad61ab2e25c455501633f4adc8a8b864724d02f82804c2
-
SHA512
495d701de6372de2995ad6ae1e482d63d4197dcf8ab7f3b918ef73a42560bb88ce4dee0e36a99358f8b375baa9a6693f12eb3b12fdc84182c0a4f5049f247f20
-
SSDEEP
98304:AnNBW0h2GJfzIyepDL+LuMYBV+NBWzUNrQqMqS82ABqYBYCq6/4N5FZ7w8av8pD8:iW0SLw8BDoVn
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eauivtuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
windows.exepid process 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe 2840 windows.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
windows.exepid process 2840 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exepid process 2840 windows.exe 2840 windows.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2840-118-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2840-119-0x0000000002CC0000-0x0000000002CC1000-memory.dmpFilesize
4KB
-
memory/2840-120-0x0000000008DD0000-0x000000000E747000-memory.dmpFilesize
89.5MB
-
memory/2840-121-0x000000000E8B0000-0x000000000E8B1000-memory.dmpFilesize
4KB
-
memory/2840-123-0x0000000000400000-0x0000000000DD3000-memory.dmpFilesize
9.8MB
-
memory/2840-124-0x000000000E8B0000-0x000000000E8B1000-memory.dmpFilesize
4KB