Analysis
-
max time kernel
112s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 16:45
Static task
static1
Behavioral task
behavioral1
Sample
FOCVIVH.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
FOCVIVH.exe
Resource
win10v2004-20220812-en
General
-
Target
FOCVIVH.exe
-
Size
3.5MB
-
MD5
85c27c29bcd669111e83ece79e7e0a62
-
SHA1
24cb399e0de0896709242e3e2cc2b0435d5c206e
-
SHA256
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
-
SHA512
9d01e2e090c553f3de1a85300f7faa36cee4a4e135ec47854529aaa1fe2fd2e0313b8202dbf875b6cc21e0a1ec46d1c1d379563ad7560470dd0a246c8bae7e99
-
SSDEEP
24576:DqkwrOTxquuoM1iHVHv/Rkelbl1RWuetgVR04suAKluiCionxi3tWEvvbwDiqBQd:4uuoBVH7XRWFIDpkdj
Malware Config
Extracted
raccoon
9b19cf60d9bdf65b8a2495aa965456c3
http://5.2.70.65/
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
GfH3GWa6.exeNela nahaseti bakibaf_hixog diquoc mexi.exepid process 4040 GfH3GWa6.exe 3564 Nela nahaseti bakibaf_hixog diquoc mexi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GfH3GWa6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation GfH3GWa6.exe -
Loads dropped DLL 3 IoCs
Processes:
vbc.exepid process 4200 vbc.exe 4200 vbc.exe 4200 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FOCVIVH.exedescription pid process target process PID 1740 set thread context of 4200 1740 FOCVIVH.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
GfH3GWa6.exepid process 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe 4040 GfH3GWa6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FOCVIVH.exedescription pid process Token: SeDebugPrivilege 1740 FOCVIVH.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FOCVIVH.exevbc.exeGfH3GWa6.execmd.exedescription pid process target process PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 1740 wrote to memory of 4200 1740 FOCVIVH.exe vbc.exe PID 4200 wrote to memory of 4040 4200 vbc.exe GfH3GWa6.exe PID 4200 wrote to memory of 4040 4200 vbc.exe GfH3GWa6.exe PID 4200 wrote to memory of 4040 4200 vbc.exe GfH3GWa6.exe PID 4040 wrote to memory of 3724 4040 GfH3GWa6.exe schtasks.exe PID 4040 wrote to memory of 3724 4040 GfH3GWa6.exe schtasks.exe PID 4040 wrote to memory of 3724 4040 GfH3GWa6.exe schtasks.exe PID 4040 wrote to memory of 3564 4040 GfH3GWa6.exe Nela nahaseti bakibaf_hixog diquoc mexi.exe PID 4040 wrote to memory of 3564 4040 GfH3GWa6.exe Nela nahaseti bakibaf_hixog diquoc mexi.exe PID 4040 wrote to memory of 3564 4040 GfH3GWa6.exe Nela nahaseti bakibaf_hixog diquoc mexi.exe PID 4040 wrote to memory of 4536 4040 GfH3GWa6.exe cmd.exe PID 4040 wrote to memory of 4536 4040 GfH3GWa6.exe cmd.exe PID 4040 wrote to memory of 4536 4040 GfH3GWa6.exe cmd.exe PID 4536 wrote to memory of 1292 4536 cmd.exe chcp.com PID 4536 wrote to memory of 1292 4536 cmd.exe chcp.com PID 4536 wrote to memory of 1292 4536 cmd.exe chcp.com PID 4536 wrote to memory of 3212 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 3212 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 3212 4536 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe"C:\Users\Admin\AppData\Local\Temp\FOCVIVH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe"C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Roaming\GfH3GWa6.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Roaming\GfH3GWa6.exeFilesize
1.7MB
MD58cfa1da0104d3f7a83d30cd97e53b2f2
SHA1968fecb371720afca1bd528287ca83407129cfc7
SHA256897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15
SHA512e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356
-
C:\Users\Admin\AppData\Roaming\GfH3GWa6.exeFilesize
1.7MB
MD58cfa1da0104d3f7a83d30cd97e53b2f2
SHA1968fecb371720afca1bd528287ca83407129cfc7
SHA256897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15
SHA512e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356
-
C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exeFilesize
371.9MB
MD59c953c410f5ac656773d7f18b3e8b7e0
SHA1b68cf5147e848e810ed1a26248d3bf79137cef5c
SHA256d70b128c7dd6b160b606c3f333780aee22c92dbd7a835bbf1adddb307a6293a4
SHA512d9bc6133eabd8fda8255a110f65916b5df98ef7c583d98d84bff1ed36ccaef9fc5489a4b0bd7c787af1381ca51abc858e9984a36d4e8469a2f2b5a600def30ca
-
C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exeFilesize
367.8MB
MD5c2a537bac20fd16448579bd07b8afeb8
SHA1ad0fb642b36f0c4f8fc7d24ede04a68fe08bd2b6
SHA256001934ae24ec4682243f1a5a70b5b88e01b73828bb0411e3952c5d5c6aee3fb2
SHA51218f9da24cc3245effa451a7e8bbf274180399dbc8ebd00068ba50ef4d206e6c42ae09fcaf18196e8a2896f6ade032074e76788685ad151031cdfd6494f508395
-
memory/1292-158-0x0000000000000000-mapping.dmp
-
memory/1740-132-0x0000000000830000-0x0000000000BB6000-memory.dmpFilesize
3.5MB
-
memory/1740-138-0x00007FFE98780000-0x00007FFE99241000-memory.dmpFilesize
10.8MB
-
memory/1740-134-0x00007FFE98780000-0x00007FFE99241000-memory.dmpFilesize
10.8MB
-
memory/1740-133-0x00007FFE98780000-0x00007FFE99241000-memory.dmpFilesize
10.8MB
-
memory/3212-159-0x0000000000000000-mapping.dmp
-
memory/3564-153-0x0000000000000000-mapping.dmp
-
memory/3724-152-0x0000000000000000-mapping.dmp
-
memory/4040-151-0x00000000036BD000-0x0000000003834000-memory.dmpFilesize
1.5MB
-
memory/4040-149-0x00000000036BD000-0x0000000003834000-memory.dmpFilesize
1.5MB
-
memory/4040-150-0x0000000002F39000-0x00000000036A2000-memory.dmpFilesize
7.4MB
-
memory/4040-148-0x0000000002F39000-0x00000000036A2000-memory.dmpFilesize
7.4MB
-
memory/4040-145-0x0000000000000000-mapping.dmp
-
memory/4040-157-0x00000000036BD000-0x0000000003834000-memory.dmpFilesize
1.5MB
-
memory/4200-144-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4200-140-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4200-139-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4200-136-0x0000000000408597-mapping.dmp
-
memory/4200-135-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4536-156-0x0000000000000000-mapping.dmp