Analysis
-
max time kernel
51s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-09-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
falsh update!.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
falsh update!.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
falsh update!.exe
-
Size
1.3MB
-
MD5
8562340b6ba907f77a6beb7b3a297fd5
-
SHA1
85119ad0ed933e64039071365b93bfd3d76d24fe
-
SHA256
e51fac7b628d87ce19590c1915ecf3ab3d678fd1ccdf2b94ff80991bf1f9718c
-
SHA512
4c576bf81ea7ec78732750d04b536f39962cb72a3d178e220978ca9c9075ec6a370cba6882d2aacd2013951f49ca4360b13397bc7a280f2c9be5e6019a8e251a
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 4 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeShutdownPrivilege 936 svchost.exe Token: SeCreatePagefilePrivilege 936 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe Token: SeShutdownPrivilege 936 svchost.exe Token: SeCreatePagefilePrivilege 936 svchost.exe Token: SeLoadDriverPrivilege 2256 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"C:\Users\Admin\AppData\Local\Temp\falsh update!.exe"1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken