4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141

Analysis

max time kernel
40s
max time network
104s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/09/2022, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82abb3648ac3b46ce91801ae3d7bb2bc.exe
Size

648KB
MD5

82abb3648ac3b46ce91801ae3d7bb2bc
SHA1

52fd2d372bc658b40d87ea78d8eb3844128d022f
SHA256

4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141
SHA512

3b2685509eeb8ef519fc04ead0ce9c7c195ebb4d6e688bf057e9356650299063af94eb94db5cf93fe946dd79c47d46e86ce286a55bce0d89d0036b49f389ca26
SSDEEP

12288:nTcFngzqfSbTPw9/A813WS8UgjCSxAO9nax5+4LFJswwwUkVDTOQe:TcVkKSbTI948dWS81VaD5+KJswwwUkV6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
696	FME.exe
520	7zS0E510F2C.exe
272	FME.exe

Loads dropped DLL 3 IoCs

pid	Process
1504	82abb3648ac3b46ce91801ae3d7bb2bc.exe
696	FME.exe
520	7zS0E510F2C.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	FME.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	FME.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FME.exe = "0"	FME.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	FME.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FME.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MAIN	FME.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	FME.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	FME.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe:Stream:$DATA	FME.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe:Stream:$DATA	FME.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
272	FME.exe
272	FME.exe
272	FME.exe
272	FME.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 696	1504	82abb3648ac3b46ce91801ae3d7bb2bc.exe	26
PID 1504 wrote to memory of 696	1504	82abb3648ac3b46ce91801ae3d7bb2bc.exe	26
PID 1504 wrote to memory of 696	1504	82abb3648ac3b46ce91801ae3d7bb2bc.exe	26
PID 1504 wrote to memory of 696	1504	82abb3648ac3b46ce91801ae3d7bb2bc.exe	26
PID 696 wrote to memory of 520	696	FME.exe	29
PID 696 wrote to memory of 520	696	FME.exe	29
PID 696 wrote to memory of 520	696	FME.exe	29
PID 520 wrote to memory of 272	520	7zS0E510F2C.exe	30
PID 520 wrote to memory of 272	520	7zS0E510F2C.exe	30
PID 520 wrote to memory of 272	520	7zS0E510F2C.exe	30

C:\Users\Admin\AppData\Local\Temp\82abb3648ac3b46ce91801ae3d7bb2bc.exe
"C:\Users\Admin\AppData\Local\Temp\82abb3648ac3b46ce91801ae3d7bb2bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\FME.exe
  .\FME.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\7zS0E510F2C.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\7zS0E510F2C.exe" "C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe
      "C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe" /f "\\.\pipe\AHKGLHLLJAL" "C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      NTFS ADS
      Suspicious use of SetWindowsHookEx
      PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\7zS0E510F2C.exe

Filesize
1.2MB

MD5
b54db15d63a62135e062d1fe6c976e48

SHA1
b5c953eb6b587b0c4754c3913941ecd20a9ed634

SHA256
76881d20515d3d80564c7a9b929478183a6fe1a18324a549a330d69f9ca829e3

SHA512
51b8ab9753d144760bcc2a76f9283b6b92d105e3ea25dba9fd11c3da3caed2c7154cd633f83c0d6f3b48327f3dc2f11767ce139d0fe1b992a3cf2919fcdb037f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\7zS0E510F2C.exe

Filesize
1.2MB

MD5
b54db15d63a62135e062d1fe6c976e48

SHA1
b5c953eb6b587b0c4754c3913941ecd20a9ed634

SHA256
76881d20515d3d80564c7a9b929478183a6fe1a18324a549a330d69f9ca829e3

SHA512
51b8ab9753d144760bcc2a76f9283b6b92d105e3ea25dba9fd11c3da3caed2c7154cd633f83c0d6f3b48327f3dc2f11767ce139d0fe1b992a3cf2919fcdb037f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\FME.ahk

Filesize
3KB

MD5
8fe87b732781c30e1f207307d691cb5b

SHA1
bc2d9d8d13a057b906b21b5ff972db62f50d178b

SHA256
428b1158b162d0c1d964363f2161cd27e88c778529346abd3362074ca1ebbe0a

SHA512
c81edb9f06996e1efd855ab5ac16317f102b4c134714f6c9ffe09252b31ade282fc1327287cfc975972d2f7f38d9764f715e4a34bd289320ad487e2c38c5b192

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0E510F2C\file

Filesize
1.2MB

MD5
7ca945d0dda3bd9ae58f2299ff4b4777

SHA1
708b17203c6adfa657cc7c0dfacc506f02a74d3c

SHA256
e08601be80508225001dc527f8f1ba9e600effd3f571c17166963da77859c0a5

SHA512
d53c027b4c1327c15cf3e3f32252a41bb32645772e68c5e46f9637150898d637695c37503bc3ecc7be6fbae1baefdeb83a47d3abebdb6639372b4f7b111bfa12

Download Submit
C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
C:\Users\Admin\AppData\Roaming\FMEV2\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
C:\Users\Admin\AppData\Roaming\FMEV2\FME.json

Filesize
7KB

MD5
9ee6dbeae32ced31e75e3d9f09c1010c

SHA1
2d779cf8e32e715fe3503ab57abf3fbe94121415

SHA256
5692b512d70f9b40505918fa2fc0fe7d4277142c2e3c4aa27189962ea542ab2a

SHA512
2486abc176f75301aa3be55b6508dd8d0df8c44181eba67a874d3ae11213d7cdc1172aced9fc52a1f895c484ef557add4441033654a1a7b33a234d308b243596

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E510F2C\7zS0E510F2C.exe

Filesize
1.2MB

MD5
b54db15d63a62135e062d1fe6c976e48

SHA1
b5c953eb6b587b0c4754c3913941ecd20a9ed634

SHA256
76881d20515d3d80564c7a9b929478183a6fe1a18324a549a330d69f9ca829e3

SHA512
51b8ab9753d144760bcc2a76f9283b6b92d105e3ea25dba9fd11c3da3caed2c7154cd633f83c0d6f3b48327f3dc2f11767ce139d0fe1b992a3cf2919fcdb037f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E510F2C\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
\Users\Admin\AppData\Roaming\FMEV2\FME.exe

Filesize
1.4MB

MD5
faf97b20932d084c24a9a8fedbe7c411

SHA1
916450cc9f7849d473ff43d2efcb407b91cd1032

SHA256
b4315573d40c93f155eb468ca03caf7c6bf9c86f58c3856afa7069bd23dbe684

SHA512
c089447d455d5a157df565f1d2f0ce279927f1f0dc0c4f0c596b3369ebe7177aee90d8bf490384d1dcdfde048cb12b3d68213fd5f920a5cc3a702f7dc0fdd7f2

Download Submit
memory/520-66-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/520-72-0x0000000140000000-0x00000001409C3000-memory.dmp

Filesize
9.8MB

Download
memory/696-58-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads