f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6

General

Target

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
Size

3.1MB
MD5

f83f87dfef22041914378efb6f8423af
SHA1

d0069f4296d7be73643176fdd8c35e5f6e04faf2
SHA256

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6
SHA512

b20fad0f22221ac27c9b57d16ac5b012284b2e23850f8edcc5b2736e6d43b3e6e7e9c8726042759256a86f01ae676ec56e2f3dfc20e7042ab34adae3a5332742

Score

9^/10

evasion trojan upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll	acprotect

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll	upx
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll	upx
behavioral2/memory/4420-133-0x0000000003370000-0x00000000034BB000-memory.dmp	upx
behavioral2/memory/4420-136-0x0000000003370000-0x00000000034BB000-memory.dmp	upx
behavioral2/memory/4420-137-0x0000000003370000-0x00000000034BB000-memory.dmp	upx
behavioral2/memory/4420-139-0x0000000003370000-0x00000000034BB000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

pid	process
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

Drops file in Program Files directory 1 IoCs

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

description ioc process

File created C:\Program Files (x86)\0E56BFBB.log f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files (x86)\0E56BFBB.log	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

pid	process
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

description	pid	process
Token: SeShutdownPrivilege	4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
Token: SeCreatePagefilePrivilege	4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

pid	process
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
4420	f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe

C:\Users\Admin\AppData\Local\Temp\f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe
"C:\Users\Admin\AppData\Local\Temp\f6f7ae2080f13aa9580b152244df5ac034388af6f8e02df1ca45ae30b30199f6.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll
Filesize
108KB

MD5
076adb95db33372ffeddd683468433b2

SHA1
202ff24cff3193e15ecd19ce5f0c808efa6951bf

SHA256
bed0a8d26ba7941779a08f29d5b6e6595bac749b5bda1628e81f4cfefab809c7

SHA512
ca4f88a6476ec63f3c95230ffb39906fcf622a38fc347eb59ca7edaa176af10d8b4a4c77433c0614c11091312c66899462e45505789dd8c8595c3c50486ca1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\Fusion.dll
Filesize
108KB

MD5
076adb95db33372ffeddd683468433b2

SHA1
202ff24cff3193e15ecd19ce5f0c808efa6951bf

SHA256
bed0a8d26ba7941779a08f29d5b6e6595bac749b5bda1628e81f4cfefab809c7

SHA512
ca4f88a6476ec63f3c95230ffb39906fcf622a38fc347eb59ca7edaa176af10d8b4a4c77433c0614c11091312c66899462e45505789dd8c8595c3c50486ca1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\InstOpt.dll
Filesize
43KB

MD5
a38b1d46b62119cfdd8e52ccfcbe399f

SHA1
6a73f2126d20774ec11aa223a143fef378a968a2

SHA256
4c9a7bb179a51786e7d83451790e3c747407134b7ddf857f7180b736baa57a18

SHA512
4abf36119977d19c9192f94476c8978cff8a45a2270be9b92b28a60a4e6f974d764b895c4a23f603d8358792009fc8d68f6cffbb694a41bd77f589a31ddfe16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\InstOpt.dll
Filesize
43KB

MD5
a38b1d46b62119cfdd8e52ccfcbe399f

SHA1
6a73f2126d20774ec11aa223a143fef378a968a2

SHA256
4c9a7bb179a51786e7d83451790e3c747407134b7ddf857f7180b736baa57a18

SHA512
4abf36119977d19c9192f94476c8978cff8a45a2270be9b92b28a60a4e6f974d764b895c4a23f603d8358792009fc8d68f6cffbb694a41bd77f589a31ddfe16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB676.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/4420-133-0x0000000003370000-0x00000000034BB000-memory.dmp

Filesize
1.3MB

Download
memory/4420-136-0x0000000003370000-0x00000000034BB000-memory.dmp

Filesize
1.3MB

Download
memory/4420-137-0x0000000003370000-0x00000000034BB000-memory.dmp

Filesize
1.3MB

Download
memory/4420-138-0x0000000003170000-0x0000000003270000-memory.dmp

Filesize
1024KB

Download
memory/4420-139-0x0000000003370000-0x00000000034BB000-memory.dmp

Filesize
1.3MB

Download
memory/4420-142-0x00000000050B0000-0x00000000050BF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads