Analysis
-
max time kernel
191s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe
Resource
win10v2004-20221111-en
General
-
Target
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe
-
Size
388KB
-
MD5
7616872b3a200264a8d476db29be2313
-
SHA1
2d91b496b2b722ca990483fa9dd786c50bb20a91
-
SHA256
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
-
SHA512
0a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
-
SSDEEP
6144:PGxKInHfsR5Qh3By8wCmLLpwFwLJ7ubiZOlZjbuueYlSD7DQB6JYDxHfs9o/Sn:OUaHK4y9jLpXLtuVlZjbUYG7DNiH8N
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
fytddrn.exefytddrn.exepid process 112 fytddrn.exe 308 fytddrn.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation fytddrn.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
fytddrn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run fytddrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\fytddrn.exe" fytddrn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fytddrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\fytddrn.exe" fytddrn.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exedescription pid process target process PID 1440 set thread context of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 112 set thread context of 308 112 fytddrn.exe fytddrn.exe -
Drops file in Program Files directory 62 IoCs
Processes:
fytddrn.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\an.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\History.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt fytddrn.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt fytddrn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1140 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exefytddrn.exepid process 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 112 fytddrn.exe 112 fytddrn.exe 112 fytddrn.exe 112 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe 308 fytddrn.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exevssvc.exedescription pid process Token: SeDebugPrivilege 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe Token: SeDebugPrivilege 308 fytddrn.exe Token: SeBackupPrivilege 4312 vssvc.exe Token: SeRestorePrivilege 4312 vssvc.exe Token: SeAuditPrivilege 4312 vssvc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exepid process 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 112 fytddrn.exe 112 fytddrn.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exefytddrn.exefytddrn.exedescription pid process target process PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 1440 wrote to memory of 4112 1440 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe PID 4112 wrote to memory of 112 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe fytddrn.exe PID 4112 wrote to memory of 112 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe fytddrn.exe PID 4112 wrote to memory of 112 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 112 wrote to memory of 308 112 fytddrn.exe fytddrn.exe PID 4112 wrote to memory of 3784 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe cmd.exe PID 4112 wrote to memory of 3784 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe cmd.exe PID 4112 wrote to memory of 3784 4112 18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe cmd.exe PID 308 wrote to memory of 1140 308 fytddrn.exe vssadmin.exe PID 308 wrote to memory of 1140 308 fytddrn.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe"C:\Users\Admin\AppData\Local\Temp\18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exeC:\Users\Admin\AppData\Local\Temp\18bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020.exe2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fytddrn.exeC:\Users\Admin\AppData\Roaming\fytddrn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\fytddrn.exeC:\Users\Admin\AppData\Roaming\fytddrn.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\18BD1F~1.EXE >> NUL3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\fytddrn.exeFilesize
388KB
MD57616872b3a200264a8d476db29be2313
SHA12d91b496b2b722ca990483fa9dd786c50bb20a91
SHA25618bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
SHA5120a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
-
C:\Users\Admin\AppData\Roaming\fytddrn.exeFilesize
388KB
MD57616872b3a200264a8d476db29be2313
SHA12d91b496b2b722ca990483fa9dd786c50bb20a91
SHA25618bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
SHA5120a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
-
C:\Users\Admin\AppData\Roaming\fytddrn.exeFilesize
388KB
MD57616872b3a200264a8d476db29be2313
SHA12d91b496b2b722ca990483fa9dd786c50bb20a91
SHA25618bd1ff24cf637c9ce36cd4e995b217a616063167355497803cca6b58eab9020
SHA5120a3018693edf7941b39c73f57bf6b0fc403a419a7121ecb8f0bd94be532e35f8fa2d2721c0ddb695855593125aa62f65ab1536cbb2267279c25ef8719a2530e9
-
memory/112-139-0x0000000000000000-mapping.dmp
-
memory/308-148-0x0000000074E70000-0x0000000074EA9000-memory.dmpFilesize
228KB
-
memory/308-146-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/308-151-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/308-142-0x0000000000000000-mapping.dmp
-
memory/308-147-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/308-145-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1140-154-0x0000000000000000-mapping.dmp
-
memory/1440-132-0x0000000002410000-0x0000000002414000-memory.dmpFilesize
16KB
-
memory/3784-149-0x0000000000000000-mapping.dmp
-
memory/4112-134-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4112-133-0x0000000000000000-mapping.dmp
-
memory/4112-137-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4112-135-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4112-150-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4112-136-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4112-152-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/4112-153-0x0000000074E70000-0x0000000074EA9000-memory.dmpFilesize
228KB
-
memory/4112-138-0x0000000074E70000-0x0000000074EA9000-memory.dmpFilesize
228KB