Overview

overview

10

Static

static

fbf.exe

windows7_x64

10

fbf.exe

windows10_x64

10

Analysis

  • max time kernel
    565s
  • max time network
    576s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbf.exe

  • Size

    249KB

  • MD5

    fbf3187db919beaddb30ae7e52bd9a49

  • SHA1

    d2891928551f2adff238547c7cae4e3fef7cc057

  • SHA256

    a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

  • SHA512

    1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet Payload 1 IoCs
    botnet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbf.exe
    "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2484
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1192.0.950619275\1495569214" -parentBuildID 20200403170909 -prefsHandle 1516 -prefMapHandle 1500 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1192 "\\.\pipe\gecko-crash-server-pipe.1192" 1600 gpu
        3⤵
          PID:3020
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1192.3.1514248659\512633359" -childID 1 -isForBrowser -prefsHandle 2212 -prefMapHandle 1264 -prefsLen 500 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1192 "\\.\pipe\gecko-crash-server-pipe.1192" 2224 tab
          3⤵
            PID:2240
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1192.13.1439293297\1558605896" -childID 2 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 1368 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1192 "\\.\pipe\gecko-crash-server-pipe.1192" 3152 tab
            3⤵
              PID:3704
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1192.20.712621250\1563055686" -childID 3 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 7430 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1192 "\\.\pipe\gecko-crash-server-pipe.1192" 3688 tab
              3⤵
                PID:3628
          • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
            "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious use of SetWindowsHookEx
            PID:2596
          • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
            "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
            1⤵
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3656

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          Peripheral Device Discovery

          2
          T1120

          System Information Discovery

          4
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\3060194815\335381474.pri
            MD5

            8c351c24a7c2efc552747667f284bfaf

            SHA1

            e652c65845f72bfa219c0637eb40514b5cc4d3fb

            SHA256

            6f0565f7e34f376ed12a61be071a04144263fc12c2aa04a398fa8e2ed1e7ecce

            SHA512

            e1f81c1051fa941321e6352950b7bdea2a6dba26ec06c9420ff6d1a4ff38778754eeebd024b8c770088735badb0ab13c522b9601129b03b2612fb5e2b2f35cbf

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms
            MD5

            4fcb2a3ee025e4a10d21e1b154873fe2

            SHA1

            57658e2fa594b7d0b99d02e041d0f3418e58856b

            SHA256

            90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

            SHA512

            4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

            Download Submit
          • memory/1192-119-0x0000000000000000-mapping.dmp
            Download
          • memory/2240-657-0x0000000000000000-mapping.dmp
            Download
          • memory/2484-115-0x00000000020E0000-0x000000000219C000-memory.dmp
            Filesize

            752KB

            Download
          • memory/2484-116-0x0000000000400000-0x00000000004C4000-memory.dmp
            Filesize

            784KB

            Download
          • memory/2484-117-0x0000000010000000-0x0000000010018000-memory.dmp
            Filesize

            96KB

            Download
          • memory/3020-347-0x0000000000000000-mapping.dmp
            Download
          • memory/3628-1259-0x0000000000000000-mapping.dmp
            Download
          • memory/3704-829-0x0000000000000000-mapping.dmp
            Download