8ce180778adea78c9173f6628fde60f237a214eb15878edca157ae5d3df7b801

Analysis

max time kernel
49s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FalixNodes-Desktop.exe
Size

67.5MB
MD5

c6a86469d3f1a0fdb567f98e930c4e0f
SHA1

b5a86b9a65707585d96b353db79840f88e118dde
SHA256

8ce180778adea78c9173f6628fde60f237a214eb15878edca157ae5d3df7b801
SHA512

98c14e9608fabd9869967c9e3e162c8486e048490a7424d160e763f3d09d878b86c7645587594d61b3c1714ab588974490fd3d328519da66acec3fd454297127
SSDEEP

1572864:G+MIbSwSwqTb1s97C8SuRWNY71ELTXQlTyNb03ai7bmsjME:GFI2wSwaq97gPAywey3W2b

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

FalixNodes-Desktop.exe

pid	process
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe
1960	FalixNodes-Desktop.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1224 tasklist.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

FalixNodes-Desktop.exetasklist.exe

pid process

1960 FalixNodes-Desktop.exe
1224 tasklist.exe
1224 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exeFalixNodes-Desktop.exe

description pid process

Token: SeDebugPrivilege 1224 tasklist.exe
Token: SeSecurityPrivilege 1960 FalixNodes-Desktop.exe

pid	process
1224	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeSecurityPrivilege	1960	FalixNodes-Desktop.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FalixNodes-Desktop.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 1384	1960	FalixNodes-Desktop.exe	cmd.exe
PID 1960 wrote to memory of 1384	1960	FalixNodes-Desktop.exe	cmd.exe
PID 1960 wrote to memory of 1384	1960	FalixNodes-Desktop.exe	cmd.exe
PID 1960 wrote to memory of 1384	1960	FalixNodes-Desktop.exe	cmd.exe
PID 1384 wrote to memory of 1224	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 1224	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 1224	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 1224	1384	cmd.exe	tasklist.exe
PID 1384 wrote to memory of 1140	1384	cmd.exe	find.exe
PID 1384 wrote to memory of 1140	1384	cmd.exe	find.exe
PID 1384 wrote to memory of 1140	1384	cmd.exe	find.exe
PID 1384 wrote to memory of 1140	1384	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\FalixNodes-Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\FalixNodes-Desktop.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq FalixNodes Desktop.exe" | find "FalixNodes Desktop.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq FalixNodes Desktop.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\find.exe
find "FalixNodes Desktop.exe"
3⤵
PID:1140

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Programs\FalixNodes Desktop\FalixNodes Desktop.exe
Filesize
28.5MB

MD5
1333f593528d92a63e06154cccb270a9

SHA1
8b8ec1e8fd1150dbd4d7f3ad0a2a7db38c315e06

SHA256
edaaf8530af7031143a758588cfbc2bc7106c0ca69989132e4e38acadebab868

SHA512
80650b284de92a0c9250eb62f8b71bdf63595873c675f3dc6af9b442bbff279919e1946db7473e1a039e421a26ae0df8e2c92f5a6ba836b81bf1ddf23f5ebe4c

Download Submit
\Users\Admin\AppData\Local\Programs\FalixNodes Desktop\FalixNodes Desktop.exe
Filesize
28.0MB

MD5
510bc7f39baade757a9b2745a1969521

SHA1
bd99f9a95a0ecbf95012ca14f44c535acec279a7

SHA256
839c651e15ce1c4e081df9ac8bf8efd82e86311a94266cdc2e5bc236ccca68a3

SHA512
2fea4e7a355dd1d360adefd3f0c997440c16d223694a768f1ca2d50ccffe167d7b6b2dc6a0b25dca399b0b4c0a3d5fd5c0d618644ebfa254c29b09dd391e4dc0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\LangDLL.dll
Filesize
5KB

MD5
ab1db56369412fe8476fefffd11e4cc0

SHA1
daad036a83b2ee2fa86d840a34a341100552e723

SHA256
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

SHA512
8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsDialogs.dll
Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1140-63-0x0000000000000000-mapping.dmp

Download
memory/1224-62-0x0000000000000000-mapping.dmp

Download
memory/1384-61-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download