Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 11:19
Static task
static1
General
-
Target
FPS BOOST V1.2.exe
-
Size
5.6MB
-
MD5
43b3f6b0372279b1979c5436cc95e81b
-
SHA1
2e423915abb7f2d0218d9242efb80c316807cc2d
-
SHA256
172b1b4196ed3fe45e2918e5203da55fe1442f84b233a4e73fdcb4ce5ae173d5
-
SHA512
9a16837d76ce2d753bd56efadcb2a9de4cc444e7ceb0440f145fd2cefe2963ebaeb69bdb0105ad619c8d33c651f36cc1f436f211ee0d045eb96d129c1271b0d8
-
SSDEEP
98304:bS73Dg1TPX2WE5FKkNJoOBCOz6IJd/EsTaMxv1h:bSzDghVEnlofAV5
Malware Config
Extracted
nanocore
1.2.2.0
this-france.at.playit.gg:5433
08391501-f9bf-4d33-aed0-472eea26a9d6
-
activate_away_mode
false
-
backup_connection_host
this-france.at.playit.gg
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-06T10:40:06.892555136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5433
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
08391501-f9bf-4d33-aed0-472eea26a9d6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
this-france.at.playit.gg
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
fps Boost.exeHost.exepid process 4404 fps Boost.exe 1444 Host.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FPS BOOST V1.2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation FPS BOOST V1.2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Host.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" Host.exe -
Processes:
Host.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Host.exe -
Drops file in Program Files directory 14 IoCs
Processes:
javaw.exeHost.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File created C:\Program Files (x86)\DDP Host\ddphost.exe Host.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe Host.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
FPS BOOST V1.2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ FPS BOOST V1.2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Host.exepid process 1444 Host.exe 1444 Host.exe 1444 Host.exe 1444 Host.exe 1444 Host.exe 1444 Host.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Host.exepid process 1444 Host.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Host.exedescription pid process Token: SeDebugPrivilege 1444 Host.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
FPS BOOST V1.2.exefps Boost.exedescription pid process target process PID 4828 wrote to memory of 4404 4828 FPS BOOST V1.2.exe fps Boost.exe PID 4828 wrote to memory of 4404 4828 FPS BOOST V1.2.exe fps Boost.exe PID 4828 wrote to memory of 4404 4828 FPS BOOST V1.2.exe fps Boost.exe PID 4404 wrote to memory of 4992 4404 fps Boost.exe javaw.exe PID 4404 wrote to memory of 4992 4404 fps Boost.exe javaw.exe PID 4828 wrote to memory of 1444 4828 FPS BOOST V1.2.exe Host.exe PID 4828 wrote to memory of 1444 4828 FPS BOOST V1.2.exe Host.exe PID 4828 wrote to memory of 1444 4828 FPS BOOST V1.2.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FPS BOOST V1.2.exe"C:\Users\Admin\AppData\Local\Temp\FPS BOOST V1.2.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fps Boost.exe"C:\Users\Admin\AppData\Local\Temp\fps Boost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\fps Boost.exe" org.develnext.jphp.ext.javafx.FXLauncher3⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\Host.exe"C:\Users\Admin\AppData\Local\Temp\Host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Host.exeFilesize
209KB
MD5221ecab58265b79e3d97194221086fa4
SHA1419df93c4c839fea14ff64a145ba1068c2a5cf58
SHA256c310539c980e3124593e9c499cefcd3b6ce5873b3dd10c30800f22533bb382ed
SHA5121666c773d57d188e74762f62eddb115e92cbad00d19f2e7380c1becd8eff350e6a4f6ac41052e38de51d2af17963e506e98bbe43cd5b0541365154204c3341ab
-
C:\Users\Admin\AppData\Local\Temp\Host.exeFilesize
209KB
MD5221ecab58265b79e3d97194221086fa4
SHA1419df93c4c839fea14ff64a145ba1068c2a5cf58
SHA256c310539c980e3124593e9c499cefcd3b6ce5873b3dd10c30800f22533bb382ed
SHA5121666c773d57d188e74762f62eddb115e92cbad00d19f2e7380c1becd8eff350e6a4f6ac41052e38de51d2af17963e506e98bbe43cd5b0541365154204c3341ab
-
C:\Users\Admin\AppData\Local\Temp\fps Boost.exeFilesize
3.3MB
MD57d9c85a11d773f2ba1512845b50ceccf
SHA1ddc233cef3698a3fa1fc50ed29ad2c0c82a6c8d9
SHA2562ad82df832d5150b9f33abc658f9254b152fa993752b17bd545d25ff09dfc224
SHA5124b790b04ac0424f70a878a91e646856e85a71a1cd293a2f33d61f13a7448fc7373f313cc3616a72303b10f1178c795bd773d39e834270184e43e18a10b469ffc
-
C:\Users\Admin\AppData\Local\Temp\fps Boost.exeFilesize
3.3MB
MD57d9c85a11d773f2ba1512845b50ceccf
SHA1ddc233cef3698a3fa1fc50ed29ad2c0c82a6c8d9
SHA2562ad82df832d5150b9f33abc658f9254b152fa993752b17bd545d25ff09dfc224
SHA5124b790b04ac0424f70a878a91e646856e85a71a1cd293a2f33d61f13a7448fc7373f313cc3616a72303b10f1178c795bd773d39e834270184e43e18a10b469ffc
-
memory/1444-143-0x0000000000000000-mapping.dmp
-
memory/1444-157-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/1444-159-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/4404-133-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000000400000-0x00000000009A3000-memory.dmpFilesize
5.6MB
-
memory/4992-141-0x0000000002C10000-0x0000000003C10000-memory.dmpFilesize
16.0MB
-
memory/4992-136-0x0000000000000000-mapping.dmp
-
memory/4992-158-0x0000000002C10000-0x0000000003C10000-memory.dmpFilesize
16.0MB
-
memory/4992-160-0x0000000002C10000-0x0000000003C10000-memory.dmpFilesize
16.0MB