Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
Proteggiti12.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Proteggiti12.exe
Resource
win10v2004-20230220-en
General
-
Target
Proteggiti12.exe
-
Size
81KB
-
MD5
bcf010a0ac126b82c429d6b1e05e0904
-
SHA1
d59494cc6a114951c9affc0d280d39f7ee429412
-
SHA256
cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345
-
SHA512
50620b0f7149eb0244a640df1d8334657fd34b26f3a6ebaeb8dd892f68560a9b273cd95310d034003b163a1aa198499a74695ed6650069a08d2ab5f71c3e18d5
-
SSDEEP
1536:/s3y2R2T619NzucB2VJtLE933X80VMYEwduOrIDxBHCs0h:6qTE3zucB2Vg38jfwMOa3Cxh
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.exe.lnk RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proteggiti12.exedescription pid process target process PID 1656 set thread context of 2152 1656 Proteggiti12.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2152 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 2152 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Proteggiti12.exedescription pid process target process PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe PID 1656 wrote to memory of 2152 1656 Proteggiti12.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proteggiti12.exe"C:\Users\Admin\AppData\Local\Temp\Proteggiti12.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1656-133-0x0000000000810000-0x000000000082A000-memory.dmpFilesize
104KB
-
memory/1656-134-0x00000000055D0000-0x0000000005B74000-memory.dmpFilesize
5.6MB
-
memory/1656-135-0x00000000050C0000-0x0000000005152000-memory.dmpFilesize
584KB
-
memory/1656-136-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/1656-137-0x00000000052D0000-0x0000000005346000-memory.dmpFilesize
472KB
-
memory/1656-138-0x0000000005350000-0x0000000005360000-memory.dmpFilesize
64KB
-
memory/1656-139-0x0000000005350000-0x0000000005360000-memory.dmpFilesize
64KB
-
memory/1656-140-0x00000000053A0000-0x00000000053BE000-memory.dmpFilesize
120KB
-
memory/2152-141-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2152-145-0x00000000051B0000-0x00000000051C0000-memory.dmpFilesize
64KB
-
memory/2152-149-0x00000000051B0000-0x00000000051C0000-memory.dmpFilesize
64KB