2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4

General

Target

2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe
Size

365KB
MD5

68727d080db2933e5bb9ea931e6e23b0
SHA1

6ce32880b98ee1489b84fc472788c01c8e251ee8
SHA256

2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4
SHA512

62babc930f5f6a62307e16712210b8005ca0ba614659621b758a5f86364b55c0a766c9231436b91e38a562ac06086bff51a9789220de16e157808b908ef50494
SSDEEP

6144:b1dlZro5yHSAXzTdsb8NrYz47BD7b9CBIhYiH2go3CO/T8vh85RdvKfkIgaPeHdg:b1dlZo5yxTO+k8D7bY62Ah88xzWHu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2012	facebook hac.exe
216	svhost.exe
8	real.scr

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3944	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	facebook hac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35d1703cd61867afaf567473dc316f87.exe	svhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\35d1703cd61867afaf567473dc316f87.exe	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe
216	svhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	svhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2012	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	83
PID 4364 wrote to memory of 2012	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	83
PID 4364 wrote to memory of 2012	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	83
PID 2012 wrote to memory of 216	2012	facebook hac.exe	85
PID 2012 wrote to memory of 216	2012	facebook hac.exe	85
PID 2012 wrote to memory of 216	2012	facebook hac.exe	85
PID 216 wrote to memory of 3944	216	svhost.exe	88
PID 216 wrote to memory of 3944	216	svhost.exe	88
PID 216 wrote to memory of 3944	216	svhost.exe	88
PID 4364 wrote to memory of 8	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	89
PID 4364 wrote to memory of 8	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	89
PID 4364 wrote to memory of 8	4364	2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe	89

C:\Users\Admin\AppData\Local\Temp\2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe
"C:\Users\Admin\AppData\Local\Temp\2ddc5657382c3540f398bcd54109e224cc8f6fd0d03e14e6d0c721a46941eee4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Extracted\facebook hac.exe
  "C:\Extracted\facebook hac.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3944
- C:\Extracted\real.scr
  "C:\Extracted\real.scr" /S
  2⤵
  - Executes dropped EXE
  PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\facebook hac.exe

Filesize
211KB

MD5
5e76dd872e87ad0dfa7aa9724f6a66d7

SHA1
9171d5c19186b22c347dbb7a613cb808154e5d76

SHA256
3a2225c297782aae4c39370ece666fdb65ed8cd4e40143d548749997b62ed2eb

SHA512
fd670d2130b49649859af49180ee11f040c6912bd211f9962d660ca90da8606fa71d098aa4a08911be7c88df620a69a93b0a883b8d26ae69caae97c4bf947bed

Download Submit
C:\Extracted\facebook hac.exe

Filesize
211KB

MD5
5e76dd872e87ad0dfa7aa9724f6a66d7

SHA1
9171d5c19186b22c347dbb7a613cb808154e5d76

SHA256
3a2225c297782aae4c39370ece666fdb65ed8cd4e40143d548749997b62ed2eb

SHA512
fd670d2130b49649859af49180ee11f040c6912bd211f9962d660ca90da8606fa71d098aa4a08911be7c88df620a69a93b0a883b8d26ae69caae97c4bf947bed

Download Submit
C:\Extracted\real.scr

Filesize
755KB

MD5
42690e17a49e06d0e174c46d906d6b2f

SHA1
49b9c95afab9f6a314b87ae5172463f31b6d769d

SHA256
8cf11229d5080c85f258915f15c72dd7b91a70d7d333ab036d28ba47cb993beb

SHA512
27d9fbadabdc3430694747a5f2759b07da0386d9f3c2bd834157a57f084e63b6d8796ffbaed8f942c8d25d532d9c280a80f2d0e0603a9924f1f4b67cb77db9ff

Download Submit
C:\Extracted\real.scr

Filesize
755KB

MD5
42690e17a49e06d0e174c46d906d6b2f

SHA1
49b9c95afab9f6a314b87ae5172463f31b6d769d

SHA256
8cf11229d5080c85f258915f15c72dd7b91a70d7d333ab036d28ba47cb993beb

SHA512
27d9fbadabdc3430694747a5f2759b07da0386d9f3c2bd834157a57f084e63b6d8796ffbaed8f942c8d25d532d9c280a80f2d0e0603a9924f1f4b67cb77db9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
211KB

MD5
5e76dd872e87ad0dfa7aa9724f6a66d7

SHA1
9171d5c19186b22c347dbb7a613cb808154e5d76

SHA256
3a2225c297782aae4c39370ece666fdb65ed8cd4e40143d548749997b62ed2eb

SHA512
fd670d2130b49649859af49180ee11f040c6912bd211f9962d660ca90da8606fa71d098aa4a08911be7c88df620a69a93b0a883b8d26ae69caae97c4bf947bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
211KB

MD5
5e76dd872e87ad0dfa7aa9724f6a66d7

SHA1
9171d5c19186b22c347dbb7a613cb808154e5d76

SHA256
3a2225c297782aae4c39370ece666fdb65ed8cd4e40143d548749997b62ed2eb

SHA512
fd670d2130b49649859af49180ee11f040c6912bd211f9962d660ca90da8606fa71d098aa4a08911be7c88df620a69a93b0a883b8d26ae69caae97c4bf947bed

Download Submit
memory/8-146-0x0000000000509000-0x000000000050E000-memory.dmp

Filesize
20KB

Download
memory/8-147-0x0000000000509000-0x000000000050E000-memory.dmp

Filesize
20KB

Download
memory/8-148-0x0000000000509000-0x000000000050E000-memory.dmp

Filesize
20KB

Download
memory/8-149-0x0000000000509000-0x000000000050E000-memory.dmp

Filesize
20KB

Download
memory/216-140-0x0000000073370000-0x0000000073921000-memory.dmp

Filesize
5.7MB

Download
memory/216-150-0x0000000073370000-0x0000000073921000-memory.dmp

Filesize
5.7MB

Download
memory/2012-142-0x0000000073370000-0x0000000073921000-memory.dmp

Filesize
5.7MB

Download
memory/2012-136-0x0000000073370000-0x0000000073921000-memory.dmp

Filesize
5.7MB

Download
memory/2012-135-0x0000000073370000-0x0000000073921000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing