Analysis

  • max time kernel
    181s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12/12/2021, 04:36 UTC

General

  • Target

    FecitAntiques.exe

  • Size

    12KB

  • MD5

    6ac57a1e090e7abdb9b7212e058c43c6

  • SHA1

    0a1e239348a73b1a95ac1767c8afebe4b98cdeff

  • SHA256

    f2e3f685256e5f31b05fc9f9ca470f527d7fdae28fa3190c8eba179473e20789

  • SHA512

    95748e2a5c90440206a815960eb864b787562d9dbe5d57a3279ef71d24143ff6f0f963925836623bfcb02914c0c0dea3cc0f731860c88101710659c445287a9e

Score
8/10

Malware Config

Signatures

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FecitAntiques.exe
    "C:\Users\Admin\AppData\Local\Temp\FecitAntiques.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO GET YOUR FILES BACK.TXT
      2⤵
        PID:556
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:984
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO GET YOUR FILES BACK.TXT
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:700

      Network

      • flag-us
        GET
        http://3.145.115.94/zambos_caldo_de_p.txt
        FecitAntiques.exe
        Remote address:
        3.145.115.94:80
        Request
        GET /zambos_caldo_de_p.txt HTTP/1.1
        Host: 3.145.115.94
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Sun, 12 Dec 2021 04:36:33 GMT
        Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.13
        Last-Modified: Sat, 11 Dec 2021 09:11:39 GMT
        ETag: "0-5d2db3a2b1052"
        Accept-Ranges: bytes
        Content-Length: 0
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: text/plain
      • 3.145.115.94:80
        http://3.145.115.94/zambos_caldo_de_p.txt
        http
        FecitAntiques.exe
        313 B
        399 B
        5
        2

        HTTP Request

        GET http://3.145.115.94/zambos_caldo_de_p.txt

        HTTP Response

        200
      No results found

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/556-58-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

        Filesize

        8KB

      • memory/1628-54-0x0000000000B30000-0x0000000000B31000-memory.dmp

        Filesize

        4KB

      • memory/1628-56-0x000000001B020000-0x000000001B022000-memory.dmp

        Filesize

        8KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.