Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 13:36
Behavioral task
behavioral1
Sample
f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe
-
Size
58KB
-
MD5
f70293d937d4cab1a4d5e7149be6e670
-
SHA1
79d2b78cb813dd6adf3fc24c05daeab403d15f3d
-
SHA256
f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc
-
SHA512
3f935b783ff3c146c2d5742d9567353144a9bc447d06d33fb612c9eb8fdfa6a7137996ee77c390476af42b84159e7f8e8ecb354a65d2e2858760aba42a642c09
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
fwdrfinish.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies fwdrfinish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 fwdrfinish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 fwdrfinish.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE fwdrfinish.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
fwdrfinish.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix fwdrfinish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" fwdrfinish.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" fwdrfinish.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
fwdrfinish.exepid process 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe 3204 fwdrfinish.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exepid process 3352 f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exefwdrfinish.exedescription pid process target process PID 116 wrote to memory of 3352 116 f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe PID 116 wrote to memory of 3352 116 f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe PID 116 wrote to memory of 3352 116 f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe PID 1636 wrote to memory of 3204 1636 fwdrfinish.exe fwdrfinish.exe PID 1636 wrote to memory of 3204 1636 fwdrfinish.exe fwdrfinish.exe PID 1636 wrote to memory of 3204 1636 fwdrfinish.exe fwdrfinish.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe"C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f570f153b8e834fe30a3ba90aeb618a0e9e5926d0df533781f121dc784f9d3bc.exe--854cc15c2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\fwdrfinish.exe"C:\Windows\SysWOW64\fwdrfinish.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fwdrfinish.exe--fa3ce5e42⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses