Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22/01/2022, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe
Resource
win7-en-20211208
General
-
Target
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe
-
Size
1.4MB
-
MD5
a87401f7224a349d9e93ffb98ba77f14
-
SHA1
9b72bb09f33e4f58329bbd30289615f73283ca41
-
SHA256
a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814
-
SHA512
dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1448 Wfantaw.exe 2196 Wfantaw.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini Wfantaw.exe File opened for modification C:\Windows\assembly\Desktop.ini Wfantaw.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Wfantaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Wfantaw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 2196 1448 Wfantaw.exe 79 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly Wfantaw.exe File created C:\Windows\assembly\Desktop.ini Wfantaw.exe File opened for modification C:\Windows\assembly\Desktop.ini Wfantaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 1448 Wfantaw.exe 1448 Wfantaw.exe 1448 Wfantaw.exe 1448 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe 2196 Wfantaw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1448 Wfantaw.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe Token: SeDebugPrivilege 1448 Wfantaw.exe Token: SeDebugPrivilege 2196 Wfantaw.exe Token: 33 2196 Wfantaw.exe Token: SeIncBasePriorityPrivilege 2196 Wfantaw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2196 Wfantaw.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1016 wrote to memory of 580 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 72 PID 1016 wrote to memory of 580 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 72 PID 1016 wrote to memory of 580 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 72 PID 1016 wrote to memory of 856 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 74 PID 1016 wrote to memory of 856 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 74 PID 1016 wrote to memory of 856 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 74 PID 1016 wrote to memory of 1212 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 76 PID 1016 wrote to memory of 1212 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 76 PID 1016 wrote to memory of 1212 1016 a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe 76 PID 1212 wrote to memory of 1448 1212 cmd.exe 78 PID 1212 wrote to memory of 1448 1212 cmd.exe 78 PID 1212 wrote to memory of 1448 1212 cmd.exe 78 PID 1448 wrote to memory of 2196 1448 Wfantaw.exe 79 PID 1448 wrote to memory of 2196 1448 Wfantaw.exe 79 PID 1448 wrote to memory of 2196 1448 Wfantaw.exe 79 PID 1448 wrote to memory of 2196 1448 Wfantaw.exe 79 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76 PID 2196 wrote to memory of 1212 2196 Wfantaw.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /F2⤵PID:580
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp409242927.tmp"2⤵
- Creates scheduled task(s)
PID:856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\Wfantaw.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Roaming\Wfantaw.exeC:\Users\Admin\AppData\Roaming\Wfantaw.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Roaming\Wfantaw.exeC:\Users\Admin\AppData\Roaming\Wfantaw.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
-
-
-