Analysis
-
max time kernel
132s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18/04/2022, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
Resource
win7-20220414-en
General
-
Target
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
-
Size
1.0MB
-
MD5
cecb88d07ae96dcfe8c2c36fa096fb41
-
SHA1
c9c84b92a258e49289b8195b6b8509a9960c5495
-
SHA256
b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42
-
SHA512
a76e008687d948a34903de4ac4339e253664002d9e602c70b461373c17c197001af3ca74e0724505329bab0b720ac3c56838f0efb9663f841579b9ee24f8db8e
Malware Config
Extracted
arkei
Default
http://tommytshop.com/KNOuG8qeID.php
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3572 Facilita.exe.pif 4192 ipconfig.exe 3824 ipconfig.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3572 set thread context of 3824 3572 Facilita.exe.pif 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4372 tasklist.exe 4184 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 4192 ipconfig.exe 3824 ipconfig.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3572 Facilita.exe.pif 3572 Facilita.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4372 tasklist.exe Token: SeDebugPrivilege 4184 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3572 Facilita.exe.pif 3572 Facilita.exe.pif 3572 Facilita.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3572 Facilita.exe.pif 3572 Facilita.exe.pif 3572 Facilita.exe.pif -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3848 wrote to memory of 4152 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 80 PID 3848 wrote to memory of 4152 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 80 PID 3848 wrote to memory of 4152 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 80 PID 4152 wrote to memory of 2960 4152 cmd.exe 82 PID 4152 wrote to memory of 2960 4152 cmd.exe 82 PID 4152 wrote to memory of 2960 4152 cmd.exe 82 PID 2960 wrote to memory of 4372 2960 cmd.exe 83 PID 2960 wrote to memory of 4372 2960 cmd.exe 83 PID 2960 wrote to memory of 4372 2960 cmd.exe 83 PID 2960 wrote to memory of 4684 2960 cmd.exe 84 PID 2960 wrote to memory of 4684 2960 cmd.exe 84 PID 2960 wrote to memory of 4684 2960 cmd.exe 84 PID 2960 wrote to memory of 4184 2960 cmd.exe 85 PID 2960 wrote to memory of 4184 2960 cmd.exe 85 PID 2960 wrote to memory of 4184 2960 cmd.exe 85 PID 2960 wrote to memory of 4224 2960 cmd.exe 86 PID 2960 wrote to memory of 4224 2960 cmd.exe 86 PID 2960 wrote to memory of 4224 2960 cmd.exe 86 PID 2960 wrote to memory of 4256 2960 cmd.exe 87 PID 2960 wrote to memory of 4256 2960 cmd.exe 87 PID 2960 wrote to memory of 4256 2960 cmd.exe 87 PID 2960 wrote to memory of 3572 2960 cmd.exe 88 PID 2960 wrote to memory of 3572 2960 cmd.exe 88 PID 2960 wrote to memory of 3572 2960 cmd.exe 88 PID 2960 wrote to memory of 3832 2960 cmd.exe 89 PID 2960 wrote to memory of 3832 2960 cmd.exe 89 PID 2960 wrote to memory of 3832 2960 cmd.exe 89 PID 3848 wrote to memory of 772 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 90 PID 3848 wrote to memory of 772 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 90 PID 3848 wrote to memory of 772 3848 b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe 90 PID 3572 wrote to memory of 4192 3572 Facilita.exe.pif 93 PID 3572 wrote to memory of 4192 3572 Facilita.exe.pif 93 PID 3572 wrote to memory of 4192 3572 Facilita.exe.pif 93 PID 3572 wrote to memory of 3824 3572 Facilita.exe.pif 94 PID 3572 wrote to memory of 3824 3572 Facilita.exe.pif 94 PID 3572 wrote to memory of 3824 3572 Facilita.exe.pif 94 PID 3572 wrote to memory of 3824 3572 Facilita.exe.pif 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Prende.avi2⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"4⤵PID:4684
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵PID:4224
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NUUynCAavFAplJqoVmuufnwKZBZrOIjeTJnZmiZkDkIOfSUZXlxJinxfTluWCvDOzbdBlwJOmVCtQjcuHZuEhCVcgpyfwrIiHUcRCaPWAGpjVdmGPZgDdZAQCVjwVxMvj$" Sta.avi4⤵PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pifFacilita.exe.pif v4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe5⤵
- Executes dropped EXE
- Gathers network information
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe5⤵
- Executes dropped EXE
- Gathers network information
PID:3824
-
-
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 GEThfMyymbuCdIfkGFZsHou4⤵PID:3832
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵PID:772
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD500c8bb4c8deebfc13bdbef52a5e68288
SHA1110beb6ebed3f132f67d1b0c11aed92688fc2087
SHA256f5dba9dc47ac79267fd75bafd0b4aa7c1a9c264758fde79c4f433a52b1c569bf
SHA5128a0ccf53135e38357c0038c4db199bafc1b5101a8a8c5ccb69f4f0d1b3f45ee499a09eed9ce81421ce9304ec26915ea44e28d0d44ced469cb31e4c86e065389b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
886KB
MD5aea8833bffe4ce594e3c4e91221c8af5
SHA1409a0890a367cd616332e12595a99d59a7202252
SHA25690d76daf5aa4b3e943d7c62b4b0d6158b27b701681de367fea5a68f783a4d68c
SHA512d71d5b3cbdedc93d3765633e4bcf6773dccf757e6b4a2577ba4b50f00d846df9ebdb2a798dff5792113473c2c87143dfad7560993eaf8e56a0abdf34b3e40e32
-
Filesize
12KB
MD57b4e1751aede86d7ea3baf70197d5100
SHA1d0e0d38a082856099dc4281cd1aa682967f0ec30
SHA256dd31a753bb208ab540d90b59403d5fb3fde0a9e9cb3e34fabdce32f4eb96a6de
SHA512187deed79b33ae102de3315463add8c4a0463e851b9beadecdf322626513f5f405e1a2d4fe11f2e6046816a3eb346b1191be109d6d29e8f783a4e0b2f13f12c6
-
Filesize
872KB
MD578f6902df03a74470cc85906d390bf68
SHA12a07d672c000e26c8953e9e8c8ff0c1c33db9d06
SHA2560d07d4825c918b092fde380263aaae1d08a6081456dd406c7485588bea625c5a
SHA512fb472adfef4d72f2762bafc364558c5b186019d3aad314256e54335c6366f42f49e6061606e74dcbd246333375b528ee5d4dd105538fe3b1be7cfabdc03b789a
-
Filesize
28KB
MD53a3b9a5e00ef6a3f83bf300e2b6b67bb
SHA1261127183df2987de2239806dd74fe624c430608
SHA25687b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81
SHA51221df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04
-
Filesize
28KB
MD53a3b9a5e00ef6a3f83bf300e2b6b67bb
SHA1261127183df2987de2239806dd74fe624c430608
SHA25687b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81
SHA51221df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04