Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-01-2022 12:54
Behavioral task
behavioral1
Sample
b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe
Resource
win7-en-20211208
General
-
Target
b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe
-
Size
241KB
-
MD5
7120733f34bb6d7ccf174779d3058d3f
-
SHA1
f2392bcadf03bc4c253a95199bf4be1947898255
-
SHA256
b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b
-
SHA512
c39778c1e678264c15f85db3b1628e3047375f0671bfa2d756efc053e74a7289f9bc5f5807c9e246e625bfe09bc3e9b8590a67fef2a0710032521225a693745e
Malware Config
Extracted
jester
FikusCode
http://jesterdcuxzbey4xvlwwheoecpltru5be2mzuk4w7a7nrhckdjjhrbyd.onion/report/FikusCode
https://api.anonfiles.com/upload?token=d26d620842507144
46378331-3729-449c-9a03-94f385d10a9c
-
license_key
D1F0DE359CBD562CCF9326AEEEA8E64E
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1736 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 428 b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1560 wrote to memory of 1736 1560 rundll32.exe 31 PID 1560 wrote to memory of 1736 1560 rundll32.exe 31 PID 1560 wrote to memory of 1736 1560 rundll32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe"C:\Users\Admin\AppData\Local\Temp\b06cd56bcb2a95ff2861a0257778e3a8911a7a47d81545138f1257a233267f0b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\249872103\zmstage.exe.orig1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\249872103\zmstage.exe.orig2⤵
- Opens file in notepad (likely ransom note)
PID:1736
-