Overview

overview

10

Static

static

fbf.exe

windows7_x64

10

fbf.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbf.exe

  • Size

    249KB

  • MD5

    fbf3187db919beaddb30ae7e52bd9a49

  • SHA1

    d2891928551f2adff238547c7cae4e3fef7cc057

  • SHA256

    a83b8dfadf92be244ccc6b2964eea2f67e0c807befa3ab969a68ee321be583dd

  • SHA512

    1d609711a21609d3bc3df80d3616ef388f32e0adcb9af865bfa3aeb9c61f81e099e5591cdecbe5412a4ea18ef236043c977faad4245ae45fd58eeb15119715ab

Score
10/10
chinese_generic_botnetbotnetpersistence

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Chinese Botnet Payload 1 IoCs
    botnet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbf.exe
    "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3592-116-0x0000000000400000-0x00000000004C4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/3592-115-0x0000000002200000-0x00000000022BC000-memory.dmp
    Filesize

    752KB

    Download
  • memory/3592-117-0x0000000010000000-0x0000000010018000-memory.dmp
    Filesize

    96KB

    Download