Analysis
-
max time kernel
163s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 07:18
Behavioral task
behavioral1
Sample
f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe
Resource
win7-20221111-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe
-
Size
545KB
-
MD5
ceaf4e60f927a7e2096803904ff354dc
-
SHA1
90b4df8884b76d67db41403d2c66a67f69c26091
-
SHA256
f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f
-
SHA512
de2fb4b27d39f96031624f784f4ff6811f0ee7357c033951a815e6124dd439608e83ceb13566d41180c945f63a9e6bd6483408f9532a7ab2f56c3a0e6613000a
-
SSDEEP
12288:XGgt068RPhxGnKro1xepVyyiwMg1FKCd3EPwSbCJXxEhcWNSraaWh:VS9RPhxGngeFyiwM40PnCJXxEdu3A
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2000 run.exe -
resource yara_rule behavioral2/memory/952-132-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral2/memory/952-148-0x0000000000400000-0x000000000048A000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/952-148-0x0000000000400000-0x000000000048A000-memory.dmp autoit_exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\wbem\ankty.exe f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe File created C:\WINDOWS\SysWOW64\run.exe f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe File opened for modification C:\WINDOWS\SysWOW64\run.exe f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe File created C:\WINDOWS\SysWOW64\????.reg f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe File opened for modification C:\WINDOWS\system32\devmgmt.msc mmc.exe File created C:\WINDOWS\SysWOW64\wbem\ankty.exe f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe -
Drops file in Windows directory 57 IoCs
description ioc Process File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4568 sc.exe 4648 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4320 regedit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4068 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4068 mmc.exe Token: SeIncBasePriorityPrivilege 4068 mmc.exe Token: 33 4068 mmc.exe Token: SeIncBasePriorityPrivilege 4068 mmc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4372 mmc.exe 4068 mmc.exe 4068 mmc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 952 wrote to memory of 2700 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 84 PID 952 wrote to memory of 2700 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 84 PID 952 wrote to memory of 2700 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 84 PID 2700 wrote to memory of 4320 2700 cmd.exe 86 PID 2700 wrote to memory of 4320 2700 cmd.exe 86 PID 2700 wrote to memory of 4320 2700 cmd.exe 86 PID 952 wrote to memory of 2000 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 87 PID 952 wrote to memory of 2000 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 87 PID 952 wrote to memory of 2000 952 f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe 87 PID 2000 wrote to memory of 3292 2000 run.exe 88 PID 2000 wrote to memory of 3292 2000 run.exe 88 PID 2000 wrote to memory of 3292 2000 run.exe 88 PID 3292 wrote to memory of 4568 3292 cmd.exe 90 PID 3292 wrote to memory of 4568 3292 cmd.exe 90 PID 3292 wrote to memory of 4568 3292 cmd.exe 90 PID 3292 wrote to memory of 4648 3292 cmd.exe 91 PID 3292 wrote to memory of 4648 3292 cmd.exe 91 PID 3292 wrote to memory of 4648 3292 cmd.exe 91 PID 3292 wrote to memory of 4680 3292 cmd.exe 92 PID 3292 wrote to memory of 4680 3292 cmd.exe 92 PID 3292 wrote to memory of 4680 3292 cmd.exe 92 PID 4680 wrote to memory of 1404 4680 cmd.exe 93 PID 4680 wrote to memory of 1404 4680 cmd.exe 93 PID 4680 wrote to memory of 1404 4680 cmd.exe 93 PID 4680 wrote to memory of 4564 4680 cmd.exe 94 PID 4680 wrote to memory of 4564 4680 cmd.exe 94 PID 4680 wrote to memory of 4564 4680 cmd.exe 94 PID 3292 wrote to memory of 204 3292 cmd.exe 95 PID 3292 wrote to memory of 204 3292 cmd.exe 95 PID 3292 wrote to memory of 204 3292 cmd.exe 95 PID 3292 wrote to memory of 4372 3292 cmd.exe 96 PID 3292 wrote to memory of 4372 3292 cmd.exe 96 PID 3292 wrote to memory of 4372 3292 cmd.exe 96 PID 4372 wrote to memory of 4068 4372 mmc.exe 97 PID 4372 wrote to memory of 4068 4372 mmc.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe"C:\Users\Admin\AppData\Local\Temp\f0546b3ff09bea4b1a3cb26b11136a3388a217920163b374f48bff1b8713661f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c regedit /s "C:\WINDOWS\system32\????.reg"2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\WINDOWS\system32\????.reg"3⤵
- Runs .reg file with regedit
PID:4320
-
-
-
C:\WINDOWS\SysWOW64\run.exeC:\WINDOWS\system32\run.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\WINDOWS\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt1145.bat C:\WINDOWS\system32\run.exe3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\sc.exesc config srservice start= DISABLED4⤵
- Launches sc.exe
PID:4568
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= DEMAND4⤵
- Launches sc.exe
PID:4648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} | findstr "}\\{"4⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\reg.exereg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}5⤵PID:1404
-
-
C:\Windows\SysWOW64\findstr.exefindstr "}\\{"5⤵PID:4564
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{07374750-E68B-490E-9330-9FD785CD71B6}\Connection /v IpCheckingEnabled /t REG_DWORD /d 0 /f4⤵PID:204
-
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\WINDOWS\system32\devmgmt.msc"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\mmc.exe"C:\WINDOWS\system32\devmgmt.msc" "C:\WINDOWS\system32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4068
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50954fd607cc796e06b1277ef7ef334b3
SHA1d6b3cfcf345d03ea4c984ba4f259acd13cc24deb
SHA25697f6a06e54b947a90375b61d469a3785c356266ae5bde438e313989383d5466a
SHA5124db0fa0e86998b4319ebe8dc466c158a9e6baf102f33f720fb5a794daf30214f3b63ff3c7a62d5690dbad220ee2e03762f8f67650f1d042757cd620b1b025886
-
Filesize
147KB
MD5ca0654649f0aa19ba7f89d5fd4c64271
SHA198422bd3bc3da7c5190c2b156b967779b6183632
SHA256fb0c456440758ce3efd40a73616f8ac0d2ff6d4a6d14d150ae996f30a38ffee4
SHA512ba6083ea336c4516b7d46c953382e7ff95199577f20ae3645dbd1e1705bbe2aafb777e30a61cc36aece4eac3292e7e81344733622e1628fd257d17f0021a2db8
-
Filesize
147KB
MD5ca0654649f0aa19ba7f89d5fd4c64271
SHA198422bd3bc3da7c5190c2b156b967779b6183632
SHA256fb0c456440758ce3efd40a73616f8ac0d2ff6d4a6d14d150ae996f30a38ffee4
SHA512ba6083ea336c4516b7d46c953382e7ff95199577f20ae3645dbd1e1705bbe2aafb777e30a61cc36aece4eac3292e7e81344733622e1628fd257d17f0021a2db8