Analysis
-
max time kernel
80s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 00:05
Behavioral task
behavioral1
Sample
installer ransom.zip
Resource
win10v2004-20230915-en
Behavioral task
behavioral2
Sample
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
installer.exe
Resource
win10v2004-20230915-en
General
-
Target
F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe
-
Size
1.1MB
-
MD5
842ae8e819177105e1a1af934b1ee520
-
SHA1
17104eca148dcd0e15ffb31e4c7a3defdd406d12
-
SHA256
f5c67fe00b4cbee07d5e394c87f0c6224bbd841a92151d04841f584d56e58b0c
-
SHA512
b92ecfb5c89996332dd674682694a111aee2bc26b21678c9e60dc592272b91a0f6e9d2a478528b6f257290c5ef43ed9d87d7fac3b8314e768144951333e4916d
-
SSDEEP
24576:zXdmFGXOGXlTztlj3RbjO7jlUIixAWLc7ARpTLzVONY/tx4:rdfLVTLjxwjlQntT/VO2x4
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ipinfo.io 6 ipinfo.io -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4376 F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe 4376 F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3912 taskmgr.exe Token: SeSystemProfilePrivilege 3912 taskmgr.exe Token: SeCreateGlobalPrivilege 3912 taskmgr.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe 3912 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe"C:\Users\Admin\AppData\Local\Temp\F5C67FE00B4CBEE07D5E394C87F0C6224BBD841A92151.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3912