Analysis
-
max time kernel
164s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 18:14
Static task
static1
Behavioral task
behavioral1
Sample
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe
Resource
win10-en-20211208
General
-
Target
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe
-
Size
9.4MB
-
MD5
e814009f11cdbda4e7758f436664b489
-
SHA1
d4902539642022a1495f0dddb63df3c068afa11b
-
SHA256
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec
-
SHA512
7e5ac945e845d35f0e22760aec08da838c257c95d729ad825d7e5b616e99335cc31e98ed4b0fcd873fc67197254381010337188afeef679b665690ba98f45a59
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Flooderast.exeFlooderaсt.exesysdisk.exesysdisk.exepid Process 4308 Flooderast.exe 4392 Flooderaсt.exe 4340 sysdisk.exe 4416 sysdisk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sysdisk.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation sysdisk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Flooderast.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "C:\\Windows\\System86\\sysdisk.exe" Flooderast.exe -
Drops file in Windows directory 3 IoCs
Processes:
Flooderast.exedescription ioc Process File created C:\Windows\System86\vp8decoder.dll Flooderast.exe File created C:\Windows\System86\sysdisk.exe Flooderast.exe File created C:\Windows\System86\vp8encoder.dll Flooderast.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
sysdisk.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 sysdisk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" sysdisk.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
sysdisk.exesysdisk.exepid Process 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
sysdisk.exesysdisk.exedescription pid Process Token: SeDebugPrivilege 4340 sysdisk.exe Token: SeTakeOwnershipPrivilege 4416 sysdisk.exe Token: SeTcbPrivilege 4416 sysdisk.exe Token: SeTcbPrivilege 4416 sysdisk.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
Flooderast.exeFlooderaсt.exesysdisk.exesysdisk.exepid Process 4308 Flooderast.exe 4392 Flooderaсt.exe 4308 Flooderast.exe 4308 Flooderast.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4340 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe 4416 sysdisk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exeFlooderast.exedescription pid Process procid_target PID 3640 wrote to memory of 4308 3640 ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe 69 PID 3640 wrote to memory of 4308 3640 ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe 69 PID 3640 wrote to memory of 4308 3640 ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe 69 PID 3640 wrote to memory of 4392 3640 ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe 71 PID 3640 wrote to memory of 4392 3640 ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe 71 PID 4308 wrote to memory of 4340 4308 Flooderast.exe 72 PID 4308 wrote to memory of 4340 4308 Flooderast.exe 72 PID 4308 wrote to memory of 4340 4308 Flooderast.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe"C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\System86\sysdisk.exe"C:\Windows\System86\sysdisk.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340 -
C:\Windows\System86\sysdisk.exeC:\Windows\System86\sysdisk.exe -second4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
-
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4392
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fdb20ee2562716738eaa9fc77768d848
SHA12fcbeb6bea3a6d5369eb172a7257c262a6e257f3
SHA256d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0
SHA51212fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051
-
MD5
fdb20ee2562716738eaa9fc77768d848
SHA12fcbeb6bea3a6d5369eb172a7257c262a6e257f3
SHA256d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0
SHA51212fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051
-
MD5
453ac2dbdd8a83f47e2e7108f4c3fc57
SHA12e44ec77a80198d8076882cf1d9800933b9d10c5
SHA256ee6a81b9219588dc917fac4307919dcb26d6b9f6a5f847aed9f9053a8fbae101
SHA5122e6428ed55d3103d2602a5da182fa74a046bb64979e18db1fa6d32eff18320ca576404c9f56a01dfd121da1e72c71b423089bdd40b7586c7cb7409a2feb0b46b
-
MD5
92aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
MD5
92aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
MD5
92aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
MD5
d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
MD5
dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7