Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
Resource
win10v2004-20220901-en
General
-
Target
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe
-
Size
292KB
-
MD5
b5707c99e8efb84b4c4e241e59b213b1
-
SHA1
f679f3871f61771d6ce979483d41c8033f06ef2d
-
SHA256
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562
-
SHA512
1d9496be34428d51bc4f297919b462b98027b049b184ee3acc6cf4139b70d4e242745d72d8dc94cdc3875ce3a6d3a88ad68df0f1e263d90b4db8780288bec7d1
-
SSDEEP
6144:E0I5pAVaHnVtoNSWelUZ54Cv2zznu+hTUH0qqIuAC0mx8TCvOxf72wrX+USctl:E0I5qCnvxWOa54KGK+r8hQe7iwrX+USI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\fbs.exe" 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\fbs.exe" 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exeTaskmgr.exepid process 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe 1664 Taskmgr.exe 1664 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exeTaskmgr.exedw20.exedescription pid process Token: SeDebugPrivilege 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Token: SeDebugPrivilege 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Token: SeDebugPrivilege 1664 Taskmgr.exe Token: SeSystemProfilePrivilege 1664 Taskmgr.exe Token: SeCreateGlobalPrivilege 1664 Taskmgr.exe Token: SeRestorePrivilege 3804 dw20.exe Token: SeBackupPrivilege 3804 dw20.exe Token: SeBackupPrivilege 3804 dw20.exe Token: SeBackupPrivilege 3804 dw20.exe Token: SeBackupPrivilege 3804 dw20.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
Taskmgr.exepid process 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
Taskmgr.exepid process 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe 1664 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exepid process 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exedescription pid process target process PID 4940 wrote to memory of 1664 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Taskmgr.exe PID 4940 wrote to memory of 1664 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Taskmgr.exe PID 4940 wrote to memory of 1664 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe Taskmgr.exe PID 4940 wrote to memory of 3804 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe dw20.exe PID 4940 wrote to memory of 3804 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe dw20.exe PID 4940 wrote to memory of 3804 4940 4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe"C:\Users\Admin\AppData\Local\Temp\4a09d7c4b6d0aeca66f2c122dfb87d962de77a7916152dc0f4c73dc6a3c65562.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 19682⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3804