cc0dda64461cfc4a81291cab7fbf1b5fb60e288d5a5587108fb8f2f9381fdf7f

General

Target

CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
Size

469KB
MD5

e8c534e58ab2b4959830d1f7e695e133
SHA1

01085c7b92329a6fa6995fdc1569a37218cd024b
SHA256

cc0dda64461cfc4a81291cab7fbf1b5fb60e288d5a5587108fb8f2f9381fdf7f
SHA512

94dbacca6a7fd1e14dd2327fab0a4f4e4e2f2f713a40adc1ad11549c134af3c57126786eef9474b3410e5a11360037dc175624289221601098fe74552a5c18ba
SSDEEP

6144:m7IaUaM8HGFHp1fQNXAsZRzK4+rLL447qvOeB6f8vkPclAMDkM7pPOQMLeX5e98F:mv6f8cPw9IWmlLh6bZq7t

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

facaboooke.exe

pid process

1968 facaboooke.exe

pid	process
1968	facaboooke.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

504 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3320 timeout.exe

pid	process
504	schtasks.exe

pid	process
3320	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe

pid	process
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exefacaboooke.exe

description pid process

Token: SeDebugPrivilege 2180 CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
Token: SeDebugPrivilege 1968 facaboooke.exe

description	pid	process
Token: SeDebugPrivilege	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
Token: SeDebugPrivilege	1968	facaboooke.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.execmd.execmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 1124	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 2180 wrote to memory of 1124	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 2180 wrote to memory of 1124	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 2180 wrote to memory of 1624	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 2180 wrote to memory of 1624	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 2180 wrote to memory of 1624	2180	CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe	cmd.exe
PID 1124 wrote to memory of 504	1124	cmd.exe	schtasks.exe
PID 1124 wrote to memory of 504	1124	cmd.exe	schtasks.exe
PID 1124 wrote to memory of 504	1124	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 3320	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 3320	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 3320	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 1968	1624	cmd.exe	facaboooke.exe
PID 1624 wrote to memory of 1968	1624	cmd.exe	facaboooke.exe
PID 1624 wrote to memory of 1968	1624	cmd.exe	facaboooke.exe

C:\Users\Admin\AppData\Local\Temp\CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe
"C:\Users\Admin\AppData\Local\Temp\CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558 /tr '"C:\Users\Admin\AppData\Roaming\facaboooke.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn CC0DDA64461CFC4A81291CAB7FBF1B5FB60E288D5A558 /tr '"C:\Users\Admin\AppData\Roaming\facaboooke.exe"'
3⤵
- Creates scheduled task(s)
PID:504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEDC0.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3320

C:\Users\Admin\AppData\Roaming\facaboooke.exe
"C:\Users\Admin\AppData\Roaming\facaboooke.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEDC0.tmp.bat
Filesize
154B

MD5
5fa84df623abffc048b8c94e35f61c3a

SHA1
6cd4a6f2c830c74ff12d73dfd958d08129004739

SHA256
667d409f80d9df06124ca8a1deb5443897b91b2dd4f24ce78828a3d686809589

SHA512
fc1c87f0f9c6439659ed6c5400154134c3934c599dcb1e7d5f07c1d76a20c8985c56f9c27ce25b938e88e8372c130a5c03dbc006ce97ab42ac09948a72cf2702

Download Submit
C:\Users\Admin\AppData\Roaming\facaboooke.exe
Filesize
469KB

MD5
e8c534e58ab2b4959830d1f7e695e133

SHA1
01085c7b92329a6fa6995fdc1569a37218cd024b

SHA256
cc0dda64461cfc4a81291cab7fbf1b5fb60e288d5a5587108fb8f2f9381fdf7f

SHA512
94dbacca6a7fd1e14dd2327fab0a4f4e4e2f2f713a40adc1ad11549c134af3c57126786eef9474b3410e5a11360037dc175624289221601098fe74552a5c18ba

Download Submit
C:\Users\Admin\AppData\Roaming\facaboooke.exe
Filesize
469KB

MD5
e8c534e58ab2b4959830d1f7e695e133

SHA1
01085c7b92329a6fa6995fdc1569a37218cd024b

SHA256
cc0dda64461cfc4a81291cab7fbf1b5fb60e288d5a5587108fb8f2f9381fdf7f

SHA512
94dbacca6a7fd1e14dd2327fab0a4f4e4e2f2f713a40adc1ad11549c134af3c57126786eef9474b3410e5a11360037dc175624289221601098fe74552a5c18ba

Download Submit
memory/504-139-0x0000000000000000-mapping.dmp

Download
memory/1124-136-0x0000000000000000-mapping.dmp

Download
memory/1624-137-0x0000000000000000-mapping.dmp

Download
memory/1968-141-0x0000000000000000-mapping.dmp

Download
memory/1968-144-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2180-135-0x00000000059C0000-0x0000000005A5C000-memory.dmp

Filesize
624KB

Download
memory/2180-132-0x0000000000E70000-0x0000000000EEA000-memory.dmp

Filesize
488KB

Download
memory/2180-134-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2180-133-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/3320-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads