Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2023 04:24
Behavioral task
behavioral1
Sample
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Resource
win10v2004-20230220-en
General
-
Target
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
-
Size
948KB
-
MD5
406b8fc9103a93ea1a18e5c37370137c
-
SHA1
a512b771879afc2302c5c837ff96546921313dc9
-
SHA256
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5
-
SHA512
1655d4174ffeb773c633e3a744aabd15beed459c27b634c0f5e3d11532031b65089bef39955b77bb908270317950fbaf6a784a9534c458dfce6024224f4d547b
-
SSDEEP
24576:CN1ZEwSKk3Os2Iv+mbEcl00kC8aFZsTV9U3R1XSzcPUntyhyzMc:c1O/Os2W+mbdl00kpaZsTV9U3vXSYPU7
Malware Config
Signatures
-
Drops file in System32 directory 22 IoCs
Processes:
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exedescription ioc process File created \??\c:\windows\SysWOW64\opfileOneA 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\syys6.9.5.syw 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\lk1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\opfileOneA 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\1936524835\mu1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\1936524835\fj1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\1936524835\sx1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\opfilejlA 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\mu1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\1936524835\1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\yadviser.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\filebak 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\opfilejlA 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\fj1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\sx1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\filebak 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File created \??\c:\windows\SysWOW64\yytmp1\1936524835\1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe File opened for modification \??\c:\windows\SysWOW64\yytmp1\1936524835\lk1936524835.tmp 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe -
Modifies registry class 5 IoCs
Processes:
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536" 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536" 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536" 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exepid process 836 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe 836 353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe"C:\Users\Admin\AppData\Local\Temp\353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\20856\6040\16013\1936524835\·¿µØ²ú¿ª·¢ÆóÒµ»á¼Æ¸¨µ¼.htmFilesize
24KB
MD5bca2bf77034421050a3c23efeb179fdd
SHA15fcdc3c4a4648d752229ed6a248c29c49dc05cc8
SHA256877dd943e658ed5530e0f102790e844161e26fd59e1a9d2e18c2fefb50731b62
SHA512d6a64b388bdfc2cd34a2efcdfa8562bddbd9f1d449f5753066e126d50a7c8d17959fa28c93c423c74a9eb02b2c8148eb54891e93d41b0053c0188fff9cb11229
-
memory/836-86-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/836-116-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/836-117-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/836-119-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/836-121-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/836-130-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB