6c2d5a8873e5d063329d0dd71328fa897a160ee24bf6f2effd5692a64bd8aac8

General

Target

Awaken.exe
Size

23KB
MD5

98f2861572ae00ee76c136d11e735a19
SHA1

ec491d408709da17497316c7fad40f19933aac71
SHA256

6c2d5a8873e5d063329d0dd71328fa897a160ee24bf6f2effd5692a64bd8aac8
SHA512

826c47d878c3d11b2be6103e20af15a7dd6a6a680e8edc4f5a9d5ab81a1939b730b58baa4c9ebc56eef3e44dec169108fad853c7e0d21cb7a6b58ef0d903dcb1
SSDEEP

384:wh7EY/KXlQivWYNs5MfgMaZBvi1NP72lVIrY23jDLg036wLX3+WX:FizDbcj/rY23jDLgiFLX3JX

Score

9^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000002aaf6-11.dat	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
5108	USBDeview.exe
4328	regjump.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	USBDeview.exe
File opened (read-only)	\??\F:	USBDeview.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	USBDeview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	USBDeview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1020	NOTEPAD.EXE

Runs regedit.exe 1 IoCs

pid	Process
1932	Regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5108	USBDeview.exe
5108	USBDeview.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1932	Regedit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	5108	USBDeview.exe
Token: SeUndockPrivilege	5108	USBDeview.exe
Token: SeRestorePrivilege	5108	USBDeview.exe
Token: SeImpersonatePrivilege	5108	USBDeview.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3972	4020	Awaken.exe	92
PID 4020 wrote to memory of 3972	4020	Awaken.exe	92
PID 3972 wrote to memory of 5108	3972	cmd.exe	93
PID 3972 wrote to memory of 5108	3972	cmd.exe	93
PID 3972 wrote to memory of 5108	3972	cmd.exe	93
PID 4052 wrote to memory of 4964	4052	Awaken.exe	96
PID 4052 wrote to memory of 4964	4052	Awaken.exe	96
PID 1724 wrote to memory of 1716	1724	Awaken.exe	99
PID 1724 wrote to memory of 1716	1724	Awaken.exe	99
PID 1376 wrote to memory of 1000	1376	Awaken.exe	102
PID 1376 wrote to memory of 1000	1376	Awaken.exe	102
PID 1000 wrote to memory of 4328	1000	cmd.exe	103
PID 1000 wrote to memory of 4328	1000	cmd.exe	103
PID 1000 wrote to memory of 4328	1000	cmd.exe	103
PID 4328 wrote to memory of 1932	4328	regjump.exe	105
PID 4328 wrote to memory of 1932	4328	regjump.exe	105
PID 2692 wrote to memory of 1676	2692	Awaken.exe	108
PID 2692 wrote to memory of 1676	2692	Awaken.exe	108
PID 2692 wrote to memory of 3328	2692	Awaken.exe	109
PID 2692 wrote to memory of 3328	2692	Awaken.exe	109
PID 2692 wrote to memory of 1496	2692	Awaken.exe	110
PID 2692 wrote to memory of 1496	2692	Awaken.exe	110
PID 1496 wrote to memory of 1244	1496	cmd.exe	111
PID 1496 wrote to memory of 1244	1496	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
PID:3620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\USBDeview.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Users\Admin\AppData\Local\Temp\USBDeview.exe
    C:\Users\Admin\AppData\Local\Temp\USBDeview.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Windows\Prefetch
  2⤵
  - Modifies registry class
  PID:4964

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\%username%\AppData\Local\Temp
  2⤵
  - Modifies registry class
  PID:1716

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\regjump.exe HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\regjump.exe
    C:\Users\Admin\AppData\Local\Temp\regjump.exe HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\Regedit.exe
      C:\Windows\Regedit.exe
      4⤵
      Runs regedit.exe
      Suspicious behavior: GetForegroundWindowSpam
      PID:1932

C:\Users\Admin\AppData\Local\Temp\Awaken.exe
"C:\Users\Admin\AppData\Local\Temp\Awaken.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls || clear
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir JOURNAL_LOGS
  2⤵
  PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd JOURNAL_LOGS && fsutil usn readjournal c: csv > JOURNAL.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal c: csv
    3⤵
    PID:1244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\JOURNAL_LOGS\JOURNAL.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
84948adf6f11879973c68667a3171059

SHA1
3824b1866b483690cb38c1b8c11f746857eb3855

SHA256
0bd0435c305a4b89ff325b35780acc26cc69255a3fa197ff442daca6f0053100

SHA512
3acedbec130d7ff1ae5d446397c7b1e782c80e034d62c17e18ec495758ef4b5534bcb14618e9285487dc33d4286a46f57d5cb6adc6cb48185f38bafa9b260834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
0f2649db596b03c08a824b9f191f8896

SHA1
3ede0609e4afbfb13eab5819731535b02b0e11b2

SHA256
a14a4b4b7e499b8b03dd2d903fdb4c3b88781e31bde391301c5ff77e5d592d14

SHA512
3448ef881a178514b15d2434902315117c0b28f4d6f8824d27b8132742ae3c439c535e7dbd5f81817d0f52395c7cadea2ca7c1fe2ea8822e3fa4f8bfa8993d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOURNAL_LOGS\JOURNAL.txt

Filesize
14.6MB

MD5
1bdbebebc8f13b9a6d2a48cd86a51b1b

SHA1
a65f625b884490d927bbcf5ef4b2206128a069a6

SHA256
20b3ae3cf6031bcf7ce169df1ff7f50a2404ef9f34f41b3165f6bf3fc3908057

SHA512
31157fe6671fd3d0e036d25f80de5ab6bd0627118b099496dfae86846590ffb73494f6e1befc348c167c802754f0cbe9646348b5cdf66b28b82753ef208d1ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDeview.cfg

Filesize
1KB

MD5
418b7f7b2b7d9d8f66910c4ecd895ec8

SHA1
905ff54cfb4a4f322f39acdfb5f2d5b33fae2fe6

SHA256
05462ca514e3ba90b52e8e7f8f367d45d5d3ce01819ec37317b452b6819be3a8

SHA512
c3c39255c6d0524457c56c7fa353e98fbcabe5c3175284416fd23bc985f0c09d525ffae0d95f680037d45ccc32396840de947c62ea923debc493ce6355822fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBDeview.exe

Filesize
137KB

MD5
fe52a297e008ede4ab2e537fad49c288

SHA1
a078c041a85bac3686bbdd766905f7c39e604e0c

SHA256
d9c7c59bbcaea076172f87c4e6fd042e891306ba08a55a007bb58657818f7902

SHA512
267ffea68e4140a69593b537d1a0088e8e72a162cb286508c6ee5c4b42dcd118d2ee8c9c790c1a943ea29dcb287e71c44f8767bf1b9496592e3bab5f27705e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\regjump.exe

Filesize
357KB

MD5
0754f552bf43d0ea03e7ffae3764f76c

SHA1
003a0cee6fdcdba86ccd2241213d827f462fcb7c

SHA256
d9b8b767e7dd8253d4eb6883ed168f0c6ac89a7ea589a67d9fad1d04fb9acbab

SHA512
3901126a6c8826df816d76c37759c8a09b46bfd54a31abb3f1e55396aeae6f21e5afb78da9520dfeb2d63099269e7c7258288862fbde5a8a16b08e5a55e23d88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads