d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
Size

240KB
MD5

ab719891e5c2fdbcf46dbba611c503f7
SHA1

fae3e946d1b0ed9c0911b8d34c749e68e29e7e10
SHA256

d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8
SHA512

c493b36267fa0f79dd8417a7c69f979f2eab25d7218253172521e79cf4bbf43257faaf53f2c01f9079fcc45763d907a2783f7d2809562e7b9a42408702a910af
SSDEEP

3072:BkBrtXT8j6VlpuBd90i/SmWKLi7CjFSivnfu3fbMdozt5czH/S:Bma0UGKGkFRKfeoztOe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sianao.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe

Executes dropped EXE 1 IoCs

pid	Process
4860	sianao.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /m"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /l"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /g"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /i"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /k"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /j"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /s"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /z"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /c"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /w"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /e"	sianao.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /r"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /f"	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /t"	sianao.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /o"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /p"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /n"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /b"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /f"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /h"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /q"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /d"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /x"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /u"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /y"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /v"	sianao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sianao = "C:\\Users\\Admin\\sianao.exe /a"	sianao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe
4860	sianao.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
4860	sianao.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4860	4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe	80
PID 4896 wrote to memory of 4860	4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe	80
PID 4896 wrote to memory of 4860	4896	d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe	80

C:\Users\Admin\AppData\Local\Temp\d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe
"C:\Users\Admin\AppData\Local\Temp\d246e973a2f2204a2a19c79eb9b9a626fe5bfb9b104d67aa7a8287991cdcded8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\sianao.exe
  "C:\Users\Admin\sianao.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sianao.exe

Filesize
240KB

MD5
664421328316a889ba9b1a53fc158566

SHA1
530bfe92477a5b1d21a2910ecc74807df1791a9b

SHA256
8760d143fb19b12b5783c6b3e4b5c24a644358f93669a1c368affbe0c713323b

SHA512
e4387b3081981096a91caf9ed1ec6ded6a176421f7d41369f60540a8e4c73c14a76187bcef87646221d73f584a0be36ca0fa5871b63079dcf0bfb29125ce2a12

Download Submit
C:\Users\Admin\sianao.exe

Filesize
240KB

MD5
664421328316a889ba9b1a53fc158566

SHA1
530bfe92477a5b1d21a2910ecc74807df1791a9b

SHA256
8760d143fb19b12b5783c6b3e4b5c24a644358f93669a1c368affbe0c713323b

SHA512
e4387b3081981096a91caf9ed1ec6ded6a176421f7d41369f60540a8e4c73c14a76187bcef87646221d73f584a0be36ca0fa5871b63079dcf0bfb29125ce2a12

Download Submit
memory/4860-134-0x0000000000000000-mapping.dmp

Download