Analysis
-
max time kernel
233s -
max time network
407s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Resource
win10v2004-20220901-en
General
-
Target
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
-
Size
15.8MB
-
MD5
49464f49275e8d058749de05e072ad1e
-
SHA1
d92206c84b249f140e9d56d2508793ec693f4e1f
-
SHA256
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006
-
SHA512
0c714aed1c5ddeb51d6103e132ace466275975edd1e4ef7edabcc4422fb1918e47f43e0f8731729c973aaf810589a6506fa183b897cf9f16efcb8a097b44fa91
-
SSDEEP
393216:rk6YLfSunp9MeiwRonMyfAA0TW5n8eSbkH3yuQFrA9moDW46A:w6aflnp9MeiCongoGeSbkXAA9mo/
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
SHOWDRIVE.EXEPECMD.EXEomnifs32.EXEpid process 684 SHOWDRIVE.EXE 1044 PECMD.EXE 1344 omnifs32.EXE -
Processes:
resource yara_rule \Windows\SysWOW64\PECMD.EXE upx \Windows\SysWOW64\PECMD.EXE upx C:\Windows\SysWOW64\PECMD.EXE upx behavioral1/memory/1044-64-0x0000000000400000-0x0000000000501000-memory.dmp upx -
Loads dropped DLL 5 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exepid process 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe 556 cmd.exe -
Enumerates connected drives 3 TTPs 28 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exeSHOWDRIVE.EXEomnifs32.EXEPECMD.EXEdescription ioc process File opened (read-only) \??\z: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\m: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\w: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\x: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\o: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\e: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\r: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\u: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\D: SHOWDRIVE.EXE File opened (read-only) \??\a: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\i: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\y: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\l: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\v: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\E: omnifs32.EXE File opened (read-only) \??\b: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\f: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\g: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\h: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\s: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\t: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\j: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\n: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\p: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\D: omnifs32.EXE File opened (read-only) \??\E: PECMD.EXE File opened (read-only) \??\k: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\q: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
omnifs32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum omnifs32.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 omnifs32.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
omnifs32.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 omnifs32.EXE -
Drops file in System32 directory 9 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\PECMD.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\omnifs32.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\omnifs.txt cmd.exe File created C:\Windows\SysWOW64\Readme.txt d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\SHOWDRIVE.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\SHOWDRIVE.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\PECMD.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\omnifs32.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\Readme.txt d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\efi.txt cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exepid process 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PECMD.EXEdescription pid process Token: 33 1044 PECMD.EXE Token: SeIncBasePriorityPrivilege 1044 PECMD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PECMD.EXEpid process 1044 PECMD.EXE 1044 PECMD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exedescription pid process target process PID 1504 wrote to memory of 684 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 1504 wrote to memory of 684 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 1504 wrote to memory of 684 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 1504 wrote to memory of 684 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 1504 wrote to memory of 1044 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 1504 wrote to memory of 1044 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 1504 wrote to memory of 1044 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 1504 wrote to memory of 1044 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 1504 wrote to memory of 928 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 928 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 928 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 928 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 556 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 556 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 556 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 1504 wrote to memory of 556 1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 556 wrote to memory of 1344 556 cmd.exe omnifs32.EXE PID 556 wrote to memory of 1344 556 cmd.exe omnifs32.EXE PID 556 wrote to memory of 1344 556 cmd.exe omnifs32.EXE PID 556 wrote to memory of 1344 556 cmd.exe omnifs32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe"C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SHOWDRIVE.EXESHOWDRIVE.EXE2⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\SysWOW64\PECMD.EXEPECMD.EXE show -1:-12⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit>C:\Windows\efi.txt2⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omnifs32.EXEomnifs32.exe -nousb -noide info3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\PECMD.EXEFilesize
479KB
MD5ae1b31ab58dbb8e65cc261b527a0a5dd
SHA1502505378077bdcc4286907b39808476da2df3fd
SHA256c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811
SHA512f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef
-
C:\Windows\SysWOW64\SHOWDRIVE.EXEFilesize
28KB
MD59dcc76e36021f25312903377500566e2
SHA1c74d638a38e3b842b8a06958e96b11081de8d1e4
SHA256c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7
SHA512ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d
-
C:\Windows\SysWOW64\omnifs.txtFilesize
252B
MD599a37cb18bc2dbd2ac6b704c1ef5cf17
SHA1f0f642089aa2de9ebb228ab3c6814b03277c9815
SHA256e25ae6ff1a3df23afc77bb1bee9d59e03949331919c21da031be29d1b387ea00
SHA51245312da4342ace11c72110fb2b17ee47bf518c832ade12713359a1339f1ce7767e857782c47501c7a47d64bfeef65b73a1ce6779b26e992bcaa568a0209333fc
-
C:\Windows\SysWOW64\omnifs32.EXEFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
C:\Windows\SysWOW64\omnifs32.EXEFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
\Windows\SysWOW64\PECMD.EXEFilesize
479KB
MD5ae1b31ab58dbb8e65cc261b527a0a5dd
SHA1502505378077bdcc4286907b39808476da2df3fd
SHA256c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811
SHA512f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef
-
\Windows\SysWOW64\PECMD.EXEFilesize
479KB
MD5ae1b31ab58dbb8e65cc261b527a0a5dd
SHA1502505378077bdcc4286907b39808476da2df3fd
SHA256c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811
SHA512f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef
-
\Windows\SysWOW64\SHOWDRIVE.EXEFilesize
28KB
MD59dcc76e36021f25312903377500566e2
SHA1c74d638a38e3b842b8a06958e96b11081de8d1e4
SHA256c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7
SHA512ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d
-
\Windows\SysWOW64\SHOWDRIVE.EXEFilesize
28KB
MD59dcc76e36021f25312903377500566e2
SHA1c74d638a38e3b842b8a06958e96b11081de8d1e4
SHA256c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7
SHA512ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d
-
\Windows\SysWOW64\omnifs32.EXEFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
memory/556-67-0x0000000000000000-mapping.dmp
-
memory/684-57-0x0000000000000000-mapping.dmp
-
memory/928-66-0x0000000000000000-mapping.dmp
-
memory/1044-61-0x0000000000000000-mapping.dmp
-
memory/1044-64-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/1344-70-0x0000000000000000-mapping.dmp
-
memory/1504-74-0x0000000004150000-0x0000000004251000-memory.dmpFilesize
1.0MB
-
memory/1504-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1504-65-0x0000000004150000-0x0000000004251000-memory.dmpFilesize
1.0MB