Analysis
-
max time kernel
386s -
max time network
483s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 15:24
Static task
static1
Behavioral task
behavioral1
Sample
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe
Resource
win10v2004-20221111-en
General
-
Target
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe
-
Size
2.0MB
-
MD5
aecbf512a59d00833a625124e053da54
-
SHA1
93dae325d30a3db903abf76a6c09a5f951191798
-
SHA256
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8
-
SHA512
8120ffe1ba457e7a52a585e1111a4fba28f4b590caa5699f3024815e1e5edc51df1b83edab3d01bbbed587f1283bf7bcb38fcc03605f13ef6ff50e0a54d4aab3
-
SSDEEP
24576:KOaG6qI2pVmvx0szWSvJIuEEtEQ+eEcWqhGzOOPPJJd3RMiOQ9R6GwsOlx0RtKSn:k2peSsiSJI4ThGz5hkQ9sR0vtMx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CFL.exepid process 2380 CFL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe -
Loads dropped DLL 2 IoCs
Processes:
CFL.exepid process 2380 CFL.exe 2380 CFL.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CFL.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CFL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CFL Start = "C:\\ProgramData\\TADATM\\CFL.exe" CFL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
CFL.exepid process 2380 CFL.exe 2380 CFL.exe 2380 CFL.exe 2380 CFL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exedescription pid process target process PID 4404 wrote to memory of 2380 4404 0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe CFL.exe PID 4404 wrote to memory of 2380 4404 0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe CFL.exe PID 4404 wrote to memory of 2380 4404 0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe CFL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe"C:\Users\Admin\AppData\Local\Temp\0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\TADATM\CFL.exe"C:\ProgramData\TADATM\CFL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\TADATM\CFL.00Filesize
2KB
MD5a30a65acad8116f3ec61bba75e38af2e
SHA129384692fa6c583ed512b85bde4635982943d017
SHA2569d7153a0f29dc450e6ce8e89ea2faf05e7402ace221e560f4c480c468a53d526
SHA5127eca20d11241a49369b53ff5e53c7f03ab4a2d96351fb14bb5427b4c26fc052193836753feebeaf3ede30cec65a1e3a6c0856f8229cc7c60783d2051a2dc67e2
-
C:\ProgramData\TADATM\CFL.01Filesize
79KB
MD57059cdba57a398f80a9afd3de0ffbd07
SHA1082dcc9e258316f67ea5b963bfe1b5f954805b83
SHA256c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90
SHA512e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0
-
C:\ProgramData\TADATM\CFL.01Filesize
79KB
MD57059cdba57a398f80a9afd3de0ffbd07
SHA1082dcc9e258316f67ea5b963bfe1b5f954805b83
SHA256c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90
SHA512e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0
-
C:\ProgramData\TADATM\CFL.01Filesize
79KB
MD57059cdba57a398f80a9afd3de0ffbd07
SHA1082dcc9e258316f67ea5b963bfe1b5f954805b83
SHA256c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90
SHA512e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0
-
C:\ProgramData\TADATM\CFL.exeFilesize
2.4MB
MD53d09e558be6c81f8e5fdde46888944d6
SHA1dc5049c0644285a28321befddaad18201a48d299
SHA2568accbe2830058d2ea436d7a8b7a0e3ae0831d64a716fbf8622055300596ccda7
SHA5128c180a2779c7b076241c09b5ac18a27e66d7e1ada9ef7c37db2ae0cf6754a014cac33dcad202135294f408e0de165996207969448e4f2a4ff114c609a241ca03
-
C:\ProgramData\TADATM\CFL.exeFilesize
2.4MB
MD53d09e558be6c81f8e5fdde46888944d6
SHA1dc5049c0644285a28321befddaad18201a48d299
SHA2568accbe2830058d2ea436d7a8b7a0e3ae0831d64a716fbf8622055300596ccda7
SHA5128c180a2779c7b076241c09b5ac18a27e66d7e1ada9ef7c37db2ae0cf6754a014cac33dcad202135294f408e0de165996207969448e4f2a4ff114c609a241ca03
-
memory/2380-133-0x0000000000000000-mapping.dmp
-
memory/2380-141-0x0000000000DD0000-0x0000000000DE9000-memory.dmpFilesize
100KB
-
memory/2380-142-0x0000000000DD1000-0x0000000000DE0000-memory.dmpFilesize
60KB
-
memory/2380-143-0x0000000000DD0000-0x0000000000DE9000-memory.dmpFilesize
100KB
-
memory/4404-132-0x0000000000D50000-0x0000000000F54000-memory.dmpFilesize
2.0MB
-
memory/4404-136-0x0000000000D50000-0x0000000000F54000-memory.dmpFilesize
2.0MB