Analysis
-
max time kernel
49s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
FalixNodes-Desktop.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FalixNodes-Desktop.exe
Resource
win10v2004-20220812-en
General
-
Target
FalixNodes-Desktop.exe
-
Size
67.5MB
-
MD5
c6a86469d3f1a0fdb567f98e930c4e0f
-
SHA1
b5a86b9a65707585d96b353db79840f88e118dde
-
SHA256
8ce180778adea78c9173f6628fde60f237a214eb15878edca157ae5d3df7b801
-
SHA512
98c14e9608fabd9869967c9e3e162c8486e048490a7424d160e763f3d09d878b86c7645587594d61b3c1714ab588974490fd3d328519da66acec3fd454297127
-
SSDEEP
1572864:G+MIbSwSwqTb1s97C8SuRWNY71ELTXQlTyNb03ai7bmsjME:GFI2wSwaq97gPAywey3W2b
Malware Config
Signatures
-
Loads dropped DLL 10 IoCs
Processes:
FalixNodes-Desktop.exepid process 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe 1960 FalixNodes-Desktop.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
FalixNodes-Desktop.exetasklist.exepid process 1960 FalixNodes-Desktop.exe 1224 tasklist.exe 1224 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exeFalixNodes-Desktop.exedescription pid process Token: SeDebugPrivilege 1224 tasklist.exe Token: SeSecurityPrivilege 1960 FalixNodes-Desktop.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
FalixNodes-Desktop.execmd.exedescription pid process target process PID 1960 wrote to memory of 1384 1960 FalixNodes-Desktop.exe cmd.exe PID 1960 wrote to memory of 1384 1960 FalixNodes-Desktop.exe cmd.exe PID 1960 wrote to memory of 1384 1960 FalixNodes-Desktop.exe cmd.exe PID 1960 wrote to memory of 1384 1960 FalixNodes-Desktop.exe cmd.exe PID 1384 wrote to memory of 1224 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 1224 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 1224 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 1224 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 1140 1384 cmd.exe find.exe PID 1384 wrote to memory of 1140 1384 cmd.exe find.exe PID 1384 wrote to memory of 1140 1384 cmd.exe find.exe PID 1384 wrote to memory of 1140 1384 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FalixNodes-Desktop.exe"C:\Users\Admin\AppData\Local\Temp\FalixNodes-Desktop.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq FalixNodes Desktop.exe" | find "FalixNodes Desktop.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq FalixNodes Desktop.exe"3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind "FalixNodes Desktop.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Programs\FalixNodes Desktop\FalixNodes Desktop.exeFilesize
28.5MB
MD51333f593528d92a63e06154cccb270a9
SHA18b8ec1e8fd1150dbd4d7f3ad0a2a7db38c315e06
SHA256edaaf8530af7031143a758588cfbc2bc7106c0ca69989132e4e38acadebab868
SHA51280650b284de92a0c9250eb62f8b71bdf63595873c675f3dc6af9b442bbff279919e1946db7473e1a039e421a26ae0df8e2c92f5a6ba836b81bf1ddf23f5ebe4c
-
\Users\Admin\AppData\Local\Programs\FalixNodes Desktop\FalixNodes Desktop.exeFilesize
28.0MB
MD5510bc7f39baade757a9b2745a1969521
SHA1bd99f9a95a0ecbf95012ca14f44c535acec279a7
SHA256839c651e15ce1c4e081df9ac8bf8efd82e86311a94266cdc2e5bc236ccca68a3
SHA5122fea4e7a355dd1d360adefd3f0c997440c16d223694a768f1ca2d50ccffe167d7b6b2dc6a0b25dca399b0b4c0a3d5fd5c0d618644ebfa254c29b09dd391e4dc0
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\LangDLL.dllFilesize
5KB
MD5ab1db56369412fe8476fefffd11e4cc0
SHA1daad036a83b2ee2fa86d840a34a341100552e723
SHA2566f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
SHA5128d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\StdUtils.dllFilesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\System.dllFilesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\WinShell.dllFilesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsDialogs.dllFilesize
9KB
MD5466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1eb607467009074278e4bd50c7eab400e95ae48f7
SHA2561e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA5127508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsExec.dllFilesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57
-
\Users\Admin\AppData\Local\Temp\nsy39B.tmp\nsis7z.dllFilesize
424KB
MD580e44ce4895304c6a3a831310fbf8cd0
SHA136bd49ae21c460be5753a904b4501f1abca53508
SHA256b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df
-
memory/1140-63-0x0000000000000000-mapping.dmp
-
memory/1224-62-0x0000000000000000-mapping.dmp
-
memory/1384-61-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB