Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 23:03
Static task
static1
Behavioral task
behavioral1
Sample
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
Resource
win10v2004-20220812-en
General
-
Target
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe
-
Size
90KB
-
MD5
6e294fcc1cd9475d14bbcb752a1c2a00
-
SHA1
e837a35ed5fb77b85b613ed6f9d51181f0dbe370
-
SHA256
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
-
SHA512
5d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
SSDEEP
1536:j/EOtUMnDUi8Tw/pmcqQxPHdQN543awuCIcv1kV7E0yWgx6k+xxg:jVtznD0c/EQFaQKrceV7EXqBxxg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Hack Facebook.exepid process 4848 Hack Facebook.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Hack Facebook.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\337410fe1de3aa7d2d73b9cb00bd0f85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hack Facebook.exe\" .." Hack Facebook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\337410fe1de3aa7d2d73b9cb00bd0f85 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hack Facebook.exe\" .." Hack Facebook.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Hack Facebook.exedescription pid process Token: SeDebugPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe Token: 33 4848 Hack Facebook.exe Token: SeIncBasePriorityPrivilege 4848 Hack Facebook.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exeHack Facebook.exedescription pid process target process PID 1788 wrote to memory of 4848 1788 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 1788 wrote to memory of 4848 1788 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 1788 wrote to memory of 4848 1788 138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe Hack Facebook.exe PID 4848 wrote to memory of 4112 4848 Hack Facebook.exe netsh.exe PID 4848 wrote to memory of 4112 4848 Hack Facebook.exe netsh.exe PID 4848 wrote to memory of 4112 4848 Hack Facebook.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe"C:\Users\Admin\AppData\Local\Temp\138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe"C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exe" "Hack Facebook.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exeFilesize
90KB
MD56e294fcc1cd9475d14bbcb752a1c2a00
SHA1e837a35ed5fb77b85b613ed6f9d51181f0dbe370
SHA256138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
SHA5125d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
C:\Users\Admin\AppData\Local\Temp\Hack Facebook.exeFilesize
90KB
MD56e294fcc1cd9475d14bbcb752a1c2a00
SHA1e837a35ed5fb77b85b613ed6f9d51181f0dbe370
SHA256138851849d5585aa75023fc00340be2ba7c14623329705c2fb9e81f746b3af4e
SHA5125d6f4103f997212432a138f1db45701c673ed9a0e5619136f504cdb4c3f1e7c5fc50373532685877368ce29f50755594ece4cae6a062938b1d8dfb261e4768ea
-
memory/1788-132-0x0000000000F40000-0x0000000000F5C000-memory.dmpFilesize
112KB
-
memory/1788-133-0x00000000080A0000-0x000000000813C000-memory.dmpFilesize
624KB
-
memory/1788-134-0x00000000087F0000-0x0000000008D94000-memory.dmpFilesize
5.6MB
-
memory/4112-138-0x0000000000000000-mapping.dmp
-
memory/4848-135-0x0000000000000000-mapping.dmp
-
memory/4848-139-0x0000000007E10000-0x0000000007EA2000-memory.dmpFilesize
584KB
-
memory/4848-140-0x0000000007DD0000-0x0000000007DDA000-memory.dmpFilesize
40KB