Analysis
-
max time kernel
1724s -
max time network
1742s -
platform
windows7_x64 -
resource
win7-en -
submitted
14-09-2021 08:44
Static task
static1
Behavioral task
behavioral1
Sample
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
Resource
win10v20210408
General
-
Target
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
-
Size
122KB
-
MD5
1df36997a8f9096272006b365a68a76d
-
SHA1
2496712427d789d1bd804835e81d5a210fb5bff8
-
SHA256
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b
-
SHA512
c2701d71d52854a08f1daacb0d523d12e40096c33feef161fc992a3dda2a16f58de997dfde33c66cb1128a3a61a6a8e1e5425a936bc0f2ba83b3ad6696bf9b3d
Malware Config
Extracted
C:\nq7wr59-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA46CC3BDC2A9E4E
http://decoder.re/FA46CC3BDC2A9E4E
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterOut.tiff => \??\c:\users\admin\pictures\EnterOut.tiff.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\InstallSearch.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallSearch.tiff => \??\c:\users\admin\pictures\InstallSearch.tiff.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\JoinSwitch.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\MeasureComplete.raw => \??\c:\users\admin\pictures\MeasureComplete.raw.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ResolveWrite.crw => \??\c:\users\admin\pictures\ResolveWrite.crw.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ClearExport.raw => \??\c:\users\admin\pictures\ClearExport.raw.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\EnterOut.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\JoinSwitch.tiff => \??\c:\users\admin\pictures\JoinSwitch.tiff.nq7wr59 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File opened (read-only) \??\X: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\A: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\K: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\O: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Q: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\R: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\W: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\B: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\E: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\L: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\N: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\T: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\D: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\G: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\H: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\I: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\M: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\S: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Z: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\F: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\J: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\P: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\U: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\V: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Y: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tqir122g1.bmp" fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Drops file in Program Files directory 20 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File created \??\c:\program files\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\nq7wr59-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\ConvertToSet.wmf fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\DenyResume.i64 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\EnterResume.wdp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files\nq7wr59-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\ReadCopy.mp2 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\TestMerge.wps fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\RemoveGrant.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\SubmitInstall.eprtx fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\SuspendComplete.clr fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\nq7wr59-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\RestorePublish.WTV fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\UseSet.wm fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\nq7wr59-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\nq7wr59-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exepid process 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe Token: SeTakeOwnershipPrivilege 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe Token: SeBackupPrivilege 548 vssvc.exe Token: SeRestorePrivilege 548 vssvc.exe Token: SeAuditPrivilege 548 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription pid process target process PID 1032 wrote to memory of 592 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe PID 1032 wrote to memory of 592 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe PID 1032 wrote to memory of 592 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe PID 1032 wrote to memory of 592 1032 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:592
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548