2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

General

Target

2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe
Size

448KB
MD5

097e5826d08b829f6783b78543bdf39b
SHA1

6d0543798ad477a2bf1a7d7c55ab88b5e2191881
SHA256

2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7
SHA512

d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef
SSDEEP

6144:G0Zp5zVX6No9bSF0Z+ZiylEkck1/bica9IEtv2LhTkH2c99aEvt:G0BzJ6OBS+5ylEkt1eIEtON4Wc9v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1084	fcilfjevu.exe

Deletes itself 1 IoCs

pid	Process
964	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
964	cmd.exe
964	cmd.exe
1084	fcilfjevu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2028	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
520	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe
1084	fcilfjevu.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 964	2040	2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe	27
PID 2040 wrote to memory of 964	2040	2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe	27
PID 2040 wrote to memory of 964	2040	2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe	27
PID 2040 wrote to memory of 964	2040	2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe	27
PID 964 wrote to memory of 2028	964	cmd.exe	29
PID 964 wrote to memory of 2028	964	cmd.exe	29
PID 964 wrote to memory of 2028	964	cmd.exe	29
PID 964 wrote to memory of 2028	964	cmd.exe	29
PID 964 wrote to memory of 520	964	cmd.exe	31
PID 964 wrote to memory of 520	964	cmd.exe	31
PID 964 wrote to memory of 520	964	cmd.exe	31
PID 964 wrote to memory of 520	964	cmd.exe	31
PID 964 wrote to memory of 1084	964	cmd.exe	32
PID 964 wrote to memory of 1084	964	cmd.exe	32
PID 964 wrote to memory of 1084	964	cmd.exe	32
PID 964 wrote to memory of 1084	964	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe
"C:\Users\Admin\AppData\Local\Temp\2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2040 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7.exe" & start C:\Users\Admin\AppData\Local\FCILFJ~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2040
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:520
- - C:\Users\Admin\AppData\Local\fcilfjevu.exe
    C:\Users\Admin\AppData\Local\FCILFJ~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fcilfjevu.exe

Filesize
448KB

MD5
097e5826d08b829f6783b78543bdf39b

SHA1
6d0543798ad477a2bf1a7d7c55ab88b5e2191881

SHA256
2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

SHA512
d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef

Download Submit
C:\Users\Admin\AppData\Local\fcilfjevu.exe

Filesize
448KB

MD5
097e5826d08b829f6783b78543bdf39b

SHA1
6d0543798ad477a2bf1a7d7c55ab88b5e2191881

SHA256
2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

SHA512
d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef

Download Submit
\Users\Admin\AppData\Local\fcilfjevu.exe

Filesize
448KB

MD5
097e5826d08b829f6783b78543bdf39b

SHA1
6d0543798ad477a2bf1a7d7c55ab88b5e2191881

SHA256
2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

SHA512
d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef

Download Submit
\Users\Admin\AppData\Local\fcilfjevu.exe

Filesize
448KB

MD5
097e5826d08b829f6783b78543bdf39b

SHA1
6d0543798ad477a2bf1a7d7c55ab88b5e2191881

SHA256
2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

SHA512
d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef

Download Submit
\Users\Admin\AppData\Local\fcilfjevu.exe

Filesize
448KB

MD5
097e5826d08b829f6783b78543bdf39b

SHA1
6d0543798ad477a2bf1a7d7c55ab88b5e2191881

SHA256
2adb28df5ae5fe31f80498b8079c503799f6df6ffc6c9789f601bf73a51006e7

SHA512
d2ebd28e29b7382f7a72d760cf9c7f7a71bde088c69ad72dedd48fdce644773fa94b1d2e5cd9ffab1fbe68c15423dfa39a47115b22d02343d6c29e319b583fef

Download Submit
memory/520-58-0x0000000000000000-mapping.dmp

Download
memory/964-55-0x0000000000000000-mapping.dmp

Download
memory/1084-62-0x0000000000000000-mapping.dmp

Download
memory/1084-66-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1084-67-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/2040-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing