Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Resource
win10v2004-20220901-en
General
-
Target
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
-
Size
15.8MB
-
MD5
49464f49275e8d058749de05e072ad1e
-
SHA1
d92206c84b249f140e9d56d2508793ec693f4e1f
-
SHA256
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006
-
SHA512
0c714aed1c5ddeb51d6103e132ace466275975edd1e4ef7edabcc4422fb1918e47f43e0f8731729c973aaf810589a6506fa183b897cf9f16efcb8a097b44fa91
-
SSDEEP
393216:rk6YLfSunp9MeiwRonMyfAA0TW5n8eSbkH3yuQFrA9moDW46A:w6aflnp9MeiCongoGeSbkXAA9mo/
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
SHOWDRIVE.EXEPECMD.EXEomnifs32.EXEpid process 5024 SHOWDRIVE.EXE 4844 PECMD.EXE 3460 omnifs32.EXE -
Processes:
resource yara_rule C:\Windows\SysWOW64\PECMD.EXE upx C:\Windows\SysWOW64\PECMD.EXE upx behavioral2/memory/4844-138-0x0000000000400000-0x0000000000501000-memory.dmp upx behavioral2/memory/4844-139-0x0000000000400000-0x0000000000501000-memory.dmp upx -
Enumerates connected drives 3 TTPs 28 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
PECMD.EXEd33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exeomnifs32.EXESHOWDRIVE.EXEdescription ioc process File opened (read-only) \??\E: PECMD.EXE File opened (read-only) \??\z: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\e: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\a: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\h: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\v: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\D: omnifs32.EXE File opened (read-only) \??\i: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\m: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\s: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\D: SHOWDRIVE.EXE File opened (read-only) \??\j: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\o: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\q: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\w: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\y: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\f: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\r: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\b: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\n: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\p: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\t: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\x: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\l: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\u: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\g: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\k: d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened (read-only) \??\E: omnifs32.EXE -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
omnifs32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum omnifs32.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 omnifs32.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
omnifs32.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 omnifs32.EXE -
Drops file in System32 directory 9 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\SHOWDRIVE.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\omnifs32.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\Readme.txt d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\Readme.txt d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\SHOWDRIVE.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\PECMD.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\PECMD.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File opened for modification C:\Windows\SysWOW64\omnifs32.EXE d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe File created C:\Windows\SysWOW64\omnifs.txt cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\efi.txt cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exepid process 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PECMD.EXEdescription pid process Token: 33 4844 PECMD.EXE Token: SeIncBasePriorityPrivilege 4844 PECMD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PECMD.EXEpid process 4844 PECMD.EXE 4844 PECMD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exedescription pid process target process PID 5012 wrote to memory of 5024 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 5012 wrote to memory of 5024 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 5012 wrote to memory of 5024 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe SHOWDRIVE.EXE PID 5012 wrote to memory of 4844 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 5012 wrote to memory of 4844 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 5012 wrote to memory of 4844 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe PECMD.EXE PID 5012 wrote to memory of 4476 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 5012 wrote to memory of 4476 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 5012 wrote to memory of 4476 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 5012 wrote to memory of 4708 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 5012 wrote to memory of 4708 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 5012 wrote to memory of 4708 5012 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe cmd.exe PID 4708 wrote to memory of 3460 4708 cmd.exe omnifs32.EXE PID 4708 wrote to memory of 3460 4708 cmd.exe omnifs32.EXE PID 4708 wrote to memory of 3460 4708 cmd.exe omnifs32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe"C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SHOWDRIVE.EXESHOWDRIVE.EXE2⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\SysWOW64\PECMD.EXEPECMD.EXE show -1:-12⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit>C:\Windows\efi.txt2⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\omnifs32.EXEomnifs32.exe -nousb -noide info3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\PECMD.EXEFilesize
479KB
MD5ae1b31ab58dbb8e65cc261b527a0a5dd
SHA1502505378077bdcc4286907b39808476da2df3fd
SHA256c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811
SHA512f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef
-
C:\Windows\SysWOW64\PECMD.EXEFilesize
479KB
MD5ae1b31ab58dbb8e65cc261b527a0a5dd
SHA1502505378077bdcc4286907b39808476da2df3fd
SHA256c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811
SHA512f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef
-
C:\Windows\SysWOW64\SHOWDRIVE.EXEFilesize
28KB
MD59dcc76e36021f25312903377500566e2
SHA1c74d638a38e3b842b8a06958e96b11081de8d1e4
SHA256c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7
SHA512ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d
-
C:\Windows\SysWOW64\SHOWDRIVE.EXEFilesize
28KB
MD59dcc76e36021f25312903377500566e2
SHA1c74d638a38e3b842b8a06958e96b11081de8d1e4
SHA256c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7
SHA512ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d
-
C:\Windows\SysWOW64\omnifs.txtFilesize
233B
MD5609b5ab796ec387443ec62797a319181
SHA1d0b1ef2e61147ced789363e9ec76759d95f96230
SHA256809d158a5c910150091d1fc90f657acd2447604bae8e220aae979c2d2874c90b
SHA512630dfd7a9b75779c24f27302c2c6d3d073e15e59601a0b537f513df31a7131af97c4b59f414458a2891a68492fdfbe7c316332055ba4f45f78aefe186e1e0a55
-
C:\Windows\SysWOW64\omnifs32.EXEFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
C:\Windows\SysWOW64\omnifs32.EXEFilesize
2.3MB
MD570b6a76178479d237a2c23b86d6c06d9
SHA13bfd492082e3958a1038685ad9e17800510e94e1
SHA256ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7
SHA512596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd
-
memory/3460-142-0x0000000000000000-mapping.dmp
-
memory/4476-140-0x0000000000000000-mapping.dmp
-
memory/4708-141-0x0000000000000000-mapping.dmp
-
memory/4844-135-0x0000000000000000-mapping.dmp
-
memory/4844-139-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/4844-138-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/5024-132-0x0000000000000000-mapping.dmp