e51fac7b628d87ce19590c1915ecf3ab3d678fd1ccdf2b94ff80991bf1f9718c

Analysis

max time kernel
51s
max time network
128s
platform
windows10_x64
resource
win10v20210408
submitted
09-09-2021 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

falsh update!.exe
Size

1.3MB
MD5

8562340b6ba907f77a6beb7b3a297fd5
SHA1

85119ad0ed933e64039071365b93bfd3d76d24fe
SHA256

e51fac7b628d87ce19590c1915ecf3ab3d678fd1ccdf2b94ff80991bf1f9718c
SHA512

4c576bf81ea7ec78732750d04b536f39962cb72a3d178e220978ca9c9075ec6a370cba6882d2aacd2013951f49ca4360b13397bc7a280f2c9be5e6019a8e251a

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	936	svchost.exe
Token: SeCreatePagefilePrivilege	936	svchost.exe
Token: SeLoadDriverPrivilege	2256	svchost.exe
Token: SeShutdownPrivilege	936	svchost.exe
Token: SeCreatePagefilePrivilege	936	svchost.exe
Token: SeLoadDriverPrivilege	2256	svchost.exe

C:\Users\Admin\AppData\Local\Temp\falsh update!.exe
"C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"
1⤵
PID:740

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Users\Admin\AppData\Local\Temp\falsh update!.exe
"C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"
1⤵
PID:740

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads