Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22/01/2022, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe
Resource
win7-en-20211208
General
-
Target
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe
-
Size
1.4MB
-
MD5
a87401f7224a349d9e93ffb98ba77f14
-
SHA1
9b72bb09f33e4f58329bbd30289615f73283ca41
-
SHA256
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
-
SHA512
dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1704 Wfantaw.exe 340 Wfantaw.exe -
Loads dropped DLL 1 IoCs
pid Process 1160 cmd.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Wfantaw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Wfantaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 340 1704 Wfantaw.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1704 Wfantaw.exe 1704 Wfantaw.exe 1704 Wfantaw.exe 1704 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe 340 Wfantaw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1704 Wfantaw.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe Token: SeDebugPrivilege 1704 Wfantaw.exe Token: SeDebugPrivilege 340 Wfantaw.exe Token: 33 340 Wfantaw.exe Token: SeIncBasePriorityPrivilege 340 Wfantaw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 340 Wfantaw.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 960 wrote to memory of 1472 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 30 PID 960 wrote to memory of 1472 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 30 PID 960 wrote to memory of 1472 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 30 PID 960 wrote to memory of 1472 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 30 PID 960 wrote to memory of 1444 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 32 PID 960 wrote to memory of 1444 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 32 PID 960 wrote to memory of 1444 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 32 PID 960 wrote to memory of 1444 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 32 PID 960 wrote to memory of 1160 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 34 PID 960 wrote to memory of 1160 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 34 PID 960 wrote to memory of 1160 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 34 PID 960 wrote to memory of 1160 960 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 34 PID 1160 wrote to memory of 1704 1160 cmd.exe 36 PID 1160 wrote to memory of 1704 1160 cmd.exe 36 PID 1160 wrote to memory of 1704 1160 cmd.exe 36 PID 1160 wrote to memory of 1704 1160 cmd.exe 36 PID 1704 wrote to memory of 340 1704 Wfantaw.exe 37 PID 1704 wrote to memory of 340 1704 Wfantaw.exe 37 PID 1704 wrote to memory of 340 1704 Wfantaw.exe 37 PID 1704 wrote to memory of 340 1704 Wfantaw.exe 37 PID 1704 wrote to memory of 340 1704 Wfantaw.exe 37 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34 PID 340 wrote to memory of 1160 340 Wfantaw.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /F2⤵PID:1472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp799550281.tmp"2⤵
- Creates scheduled task(s)
PID:1444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\Wfantaw.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Roaming\Wfantaw.exeC:\Users\Admin\AppData\Roaming\Wfantaw.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\Wfantaw.exeC:\Users\Admin\AppData\Roaming\Wfantaw.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:340
-
-
-