42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
Size

116KB
MD5

bc855de407600be582e63e1340f12786
SHA1

9eed0af59ed5c2e9c84f1b8c05e74a70ead3e1a3
SHA256

42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019
SHA512

7d6048bfee8a28983dd5281a6f4cf44799685867a261beb9b29c6fc0735d40ef1a56c51c2564d39c677a5a500a4da728a7351af46de3c009d75442da5f6fe453
SSDEEP

1536:lZpxoV++We8Kw6KBOIW4Z8HO1Zwt0f4HeDUEdMOPy9sbgN2wo7JaS1:fp7+WefIr1ZNDUEdTwQL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fiiapoc.exe

Executes dropped EXE 1 IoCs

pid	Process
948	fiiapoc.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /Q"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /F"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /o"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /c"	fiiapoc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /w"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /e"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /P"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /M"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /N"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /Z"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /X"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /x"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /J"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /Y"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /K"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /r"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /L"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /n"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /a"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /W"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /i"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /b"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /h"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /y"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /T"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /s"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /r"	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /m"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /U"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /t"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /D"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /V"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /k"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /A"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /j"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /O"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /f"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /I"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /v"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /C"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /S"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /d"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /R"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /z"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /B"	fiiapoc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /l"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /u"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /p"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /q"	fiiapoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiiapoc = "C:\\Users\\Admin\\fiiapoc.exe /E"	fiiapoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe
948	fiiapoc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
948	fiiapoc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 948	1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe	27
PID 1956 wrote to memory of 948	1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe	27
PID 1956 wrote to memory of 948	1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe	27
PID 1956 wrote to memory of 948	1956	42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe	27

C:\Users\Admin\AppData\Local\Temp\42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe
"C:\Users\Admin\AppData\Local\Temp\42b6212a87d94e944b1989854d6a76e150a1526d09b7f1a4077e1abb81830019.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\fiiapoc.exe
  "C:\Users\Admin\fiiapoc.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fiiapoc.exe

Filesize
116KB

MD5
1569f7017b351d6062b296e5bf98d6d1

SHA1
7db07691c7e2b685c95742ba27be9656f8187e88

SHA256
839ecc314ac58c67577a6414b64f64f17314c22ca196f7e28f09e2dc4cd504c0

SHA512
9dad1751ee9a7a360fceaed8e7b3aba63ad83740b2642dbb2ad300c59ec7c9a7aba48f5191c516283f7519df33efc5e35b51516585c5d4ab4b45a80572be1bc1

Download Submit
C:\Users\Admin\fiiapoc.exe

Filesize
116KB

MD5
1569f7017b351d6062b296e5bf98d6d1

SHA1
7db07691c7e2b685c95742ba27be9656f8187e88

SHA256
839ecc314ac58c67577a6414b64f64f17314c22ca196f7e28f09e2dc4cd504c0

SHA512
9dad1751ee9a7a360fceaed8e7b3aba63ad83740b2642dbb2ad300c59ec7c9a7aba48f5191c516283f7519df33efc5e35b51516585c5d4ab4b45a80572be1bc1

Download Submit
\Users\Admin\fiiapoc.exe

Filesize
116KB

MD5
1569f7017b351d6062b296e5bf98d6d1

SHA1
7db07691c7e2b685c95742ba27be9656f8187e88

SHA256
839ecc314ac58c67577a6414b64f64f17314c22ca196f7e28f09e2dc4cd504c0

SHA512
9dad1751ee9a7a360fceaed8e7b3aba63ad83740b2642dbb2ad300c59ec7c9a7aba48f5191c516283f7519df33efc5e35b51516585c5d4ab4b45a80572be1bc1

Download Submit
\Users\Admin\fiiapoc.exe

Filesize
116KB

MD5
1569f7017b351d6062b296e5bf98d6d1

SHA1
7db07691c7e2b685c95742ba27be9656f8187e88

SHA256
839ecc314ac58c67577a6414b64f64f17314c22ca196f7e28f09e2dc4cd504c0

SHA512
9dad1751ee9a7a360fceaed8e7b3aba63ad83740b2642dbb2ad300c59ec7c9a7aba48f5191c516283f7519df33efc5e35b51516585c5d4ab4b45a80572be1bc1

Download Submit
memory/1956-56-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download