Resubmissions
23-11-2023 20:34
231123-zcl5ascb62 323-11-2023 20:33
231123-zbzc8sda7v 123-11-2023 20:32
231123-za94cada6w 323-11-2023 05:23
231123-f3hp1sgb65 323-11-2023 05:19
231123-fztm4sha3z 323-11-2023 05:16
231123-fyhjfsgb59 323-11-2023 05:11
231123-fvey6aha3t 323-11-2023 05:05
231123-fq2mcsgb43 8Analysis
-
max time kernel
21s -
max time network
26s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
23-11-2023 05:16
Static task
static1
Behavioral task
behavioral1
Sample
disallowedcert.stl
Resource
win10-20231023-en
General
-
Target
disallowedcert.stl
-
Size
5KB
-
MD5
78785956ab4e54d6116d673c3491edff
-
SHA1
962277a5497c60c77ba5de1caf7606d976e4299d
-
SHA256
c514dbdbb13632cbb378c59086c1ebb0bc9b25ffb0a349f2b052b065c0d913e6
-
SHA512
854eba4c9597692f38fc65acf6510bb4894873383b873a34a8b9e46fdec427aa6562b8592fb279431decdbb507e8ed605b78b1483052d9cd4196fa3cf1542cc1
-
SSDEEP
96:7nxsSPd1si1Y50uP/D+DExy9YDcvJFS9Vxk1qe79tDD0BDEdf6PYjISm2gry7fjn:7G2LV00GDTH63Req6vSDf8hUP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40f63d07e705da01 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{6365164C-25EF-4DF1-8656-004C092AAD48}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95696497-89BF-11EE-905A-D6ECF92EF593} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Modifies registry class 4 IoCs
Processes:
cmd.exeOpenWith.exeiexplore.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1508 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4024 OpenWith.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 3884 iexplore.exe 3884 iexplore.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe 4024 OpenWith.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
OpenWith.exeiexplore.exedescription pid process target process PID 4024 wrote to memory of 3884 4024 OpenWith.exe iexplore.exe PID 4024 wrote to memory of 3884 4024 OpenWith.exe iexplore.exe PID 3884 wrote to memory of 3508 3884 iexplore.exe IEXPLORE.EXE PID 3884 wrote to memory of 3508 3884 iexplore.exe IEXPLORE.EXE PID 3884 wrote to memory of 3508 3884 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\disallowedcert.stl1⤵
- Modifies registry class
PID:2404
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\disallowedcert.stl2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:82945 /prefetch:23⤵
- Modifies Internet Explorer settings
PID:3508
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:3096 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\disallowedcert.stl2⤵
- Opens file in notepad (likely ransom note)
PID:1508