Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18/04/2022, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
Resource
win7-20220414-en
General
-
Target
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
-
Size
1.0MB
-
MD5
cecb88d07ae96dcfe8c2c36fa096fb41
-
SHA1
c9c84b92a258e49289b8195b6b8509a9960c5495
-
SHA256
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42
-
SHA512
a76e008687d948a34903de4ac4339e253664002d9e602c70b461373c17c197001af3ca74e0724505329bab0b720ac3c56838f0efb9663f841579b9ee24f8db8e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1756 Facilita.exe.pif -
Deletes itself 1 IoCs
pid Process 764 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 944 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1964 tasklist.exe 1744 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1744 tasklist.exe Token: SeDebugPrivilege 1964 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1756 Facilita.exe.pif 1756 Facilita.exe.pif 1756 Facilita.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1756 Facilita.exe.pif 1756 Facilita.exe.pif 1756 Facilita.exe.pif -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2040 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 27 PID 1100 wrote to memory of 2040 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 27 PID 1100 wrote to memory of 2040 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 27 PID 1100 wrote to memory of 2040 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 27 PID 2040 wrote to memory of 944 2040 cmd.exe 29 PID 2040 wrote to memory of 944 2040 cmd.exe 29 PID 2040 wrote to memory of 944 2040 cmd.exe 29 PID 2040 wrote to memory of 944 2040 cmd.exe 29 PID 944 wrote to memory of 1744 944 cmd.exe 30 PID 944 wrote to memory of 1744 944 cmd.exe 30 PID 944 wrote to memory of 1744 944 cmd.exe 30 PID 944 wrote to memory of 1744 944 cmd.exe 30 PID 944 wrote to memory of 2000 944 cmd.exe 31 PID 944 wrote to memory of 2000 944 cmd.exe 31 PID 944 wrote to memory of 2000 944 cmd.exe 31 PID 944 wrote to memory of 2000 944 cmd.exe 31 PID 944 wrote to memory of 1964 944 cmd.exe 33 PID 944 wrote to memory of 1964 944 cmd.exe 33 PID 944 wrote to memory of 1964 944 cmd.exe 33 PID 944 wrote to memory of 1964 944 cmd.exe 33 PID 944 wrote to memory of 1736 944 cmd.exe 34 PID 944 wrote to memory of 1736 944 cmd.exe 34 PID 944 wrote to memory of 1736 944 cmd.exe 34 PID 944 wrote to memory of 1736 944 cmd.exe 34 PID 944 wrote to memory of 1700 944 cmd.exe 35 PID 944 wrote to memory of 1700 944 cmd.exe 35 PID 944 wrote to memory of 1700 944 cmd.exe 35 PID 944 wrote to memory of 1700 944 cmd.exe 35 PID 944 wrote to memory of 1756 944 cmd.exe 36 PID 944 wrote to memory of 1756 944 cmd.exe 36 PID 944 wrote to memory of 1756 944 cmd.exe 36 PID 944 wrote to memory of 1756 944 cmd.exe 36 PID 1100 wrote to memory of 764 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 37 PID 1100 wrote to memory of 764 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 37 PID 1100 wrote to memory of 764 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 37 PID 1100 wrote to memory of 764 1100 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Prende.avi2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵PID:2000
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵PID:1736
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NUUynCAavFAplJqoVmuufnwKZBZrOIjeTJnZmiZkDkIOfSUZXlxJinxfTluWCvDOzbdBlwJOmVCtQjcuHZuEhCVcgpyfwrIiHUcRCaPWAGpjVdmGPZgDdZAQCVjwVxMvj$" Sta.avi4⤵PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pifFacilita.exe.pif v4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
PID:764
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD500c8bb4c8deebfc13bdbef52a5e68288
SHA1110beb6ebed3f132f67d1b0c11aed92688fc2087
SHA256f5dba9dc47ac79267fd75bafd0b4aa7c1a9c264758fde79c4f433a52b1c569bf
SHA5128a0ccf53135e38357c0038c4db199bafc1b5101a8a8c5ccb69f4f0d1b3f45ee499a09eed9ce81421ce9304ec26915ea44e28d0d44ced469cb31e4c86e065389b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
886KB
MD5aea8833bffe4ce594e3c4e91221c8af5
SHA1409a0890a367cd616332e12595a99d59a7202252
SHA25690d76daf5aa4b3e943d7c62b4b0d6158b27b701681de367fea5a68f783a4d68c
SHA512d71d5b3cbdedc93d3765633e4bcf6773dccf757e6b4a2577ba4b50f00d846df9ebdb2a798dff5792113473c2c87143dfad7560993eaf8e56a0abdf34b3e40e32
-
Filesize
12KB
MD57b4e1751aede86d7ea3baf70197d5100
SHA1d0e0d38a082856099dc4281cd1aa682967f0ec30
SHA256dd31a753bb208ab540d90b59403d5fb3fde0a9e9cb3e34fabdce32f4eb96a6de
SHA512187deed79b33ae102de3315463add8c4a0463e851b9beadecdf322626513f5f405e1a2d4fe11f2e6046816a3eb346b1191be109d6d29e8f783a4e0b2f13f12c6
-
Filesize
872KB
MD578f6902df03a74470cc85906d390bf68
SHA12a07d672c000e26c8953e9e8c8ff0c1c33db9d06
SHA2560d07d4825c918b092fde380263aaae1d08a6081456dd406c7485588bea625c5a
SHA512fb472adfef4d72f2762bafc364558c5b186019d3aad314256e54335c6366f42f49e6061606e74dcbd246333375b528ee5d4dd105538fe3b1be7cfabdc03b789a
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c