Analysis
-
max time kernel
190s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe
Resource
win10v2004-20220812-en
General
-
Target
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe
-
Size
354KB
-
MD5
5344175e5547955aed85be21871213d0
-
SHA1
2c560d8197c3972e5e11dad105143cd52b7dfea3
-
SHA256
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69
-
SHA512
1591d2f41dc7432e2ad598a7e48f579ae3f3a97d269148125b609b8fdd9978b2d0d970546a2afa0331f0c01057f6dcf395e3a3ab3dfa23bb66e50e19cb97c958
-
SSDEEP
3072:0wi51kpjgUdkY8NvaKyGVy1ltYWVnXKiivnFOq43yUQBB3cuAUXXinIcsHtPbXlx:wopjgUqY84ALWVkt3HhybgzvDROyESZ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exepid process 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exefc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Server.exe" fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Server.exe" fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exedescription ioc process File created C:\Windows\assembly\Desktop.ini fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe File opened for modification C:\Windows\assembly\Desktop.ini fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Drops file in Windows directory 3 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exedescription ioc process File opened for modification C:\Windows\assembly fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe File created C:\Windows\assembly\Desktop.ini fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe File opened for modification C:\Windows\assembly\Desktop.ini fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exeTaskmgr.exepid process 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exeTaskmgr.exepid process 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe 1108 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exefc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exeTaskmgr.exedescription pid process Token: SeDebugPrivilege 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Token: SeDebugPrivilege 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Token: SeDebugPrivilege 1108 Taskmgr.exe Token: SeSystemProfilePrivilege 1108 Taskmgr.exe Token: SeCreateGlobalPrivilege 1108 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exepid process 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exepid process 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe 1108 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exepid process 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.execmd.exefc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exedescription pid process target process PID 4332 wrote to memory of 1252 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe PID 4332 wrote to memory of 1252 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe PID 4332 wrote to memory of 1252 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe PID 4332 wrote to memory of 316 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe cmd.exe PID 4332 wrote to memory of 316 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe cmd.exe PID 4332 wrote to memory of 316 4332 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe cmd.exe PID 316 wrote to memory of 3512 316 cmd.exe PING.EXE PID 316 wrote to memory of 3512 316 cmd.exe PING.EXE PID 316 wrote to memory of 3512 316 cmd.exe PING.EXE PID 1252 wrote to memory of 1108 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Taskmgr.exe PID 1252 wrote to memory of 1108 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Taskmgr.exe PID 1252 wrote to memory of 1108 1252 fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe"C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe"C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:3512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe
Filesize354KB
MD55344175e5547955aed85be21871213d0
SHA12c560d8197c3972e5e11dad105143cd52b7dfea3
SHA256fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69
SHA5121591d2f41dc7432e2ad598a7e48f579ae3f3a97d269148125b609b8fdd9978b2d0d970546a2afa0331f0c01057f6dcf395e3a3ab3dfa23bb66e50e19cb97c958
-
C:\Users\Admin\AppData\Local\Temp\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69\fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69.exe
Filesize354KB
MD55344175e5547955aed85be21871213d0
SHA12c560d8197c3972e5e11dad105143cd52b7dfea3
SHA256fc409acc344d3299f319ddd47afc86310aa931fc799a360d2708f9a93facbd69
SHA5121591d2f41dc7432e2ad598a7e48f579ae3f3a97d269148125b609b8fdd9978b2d0d970546a2afa0331f0c01057f6dcf395e3a3ab3dfa23bb66e50e19cb97c958