f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 23:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
Size

979KB
MD5

6b4fc3f65c734d92f7f09b0ea586e4a0
SHA1

b796e37b95d121c7079b2f31510d3967749dd0b1
SHA256

f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d
SHA512

5819ca76e658ace9cd9408639f22c543b6cfc06580bbcf14c4d21ba44c0a8b1cbe12901379810a27cd87c577e5bae5582c45babfebb52c6b9ee22ef5a1707b8a
SSDEEP

24576:3NBIc3Nj/ptB57KoYnjQt7ZvwHXbKOxqhmy1E:Ag5RtBwDjStw3NoI

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3152	XFilesHack.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0005000000022e2a-133.dat	vmprotect
behavioral2/memory/3152-134-0x0000000000730000-0x0000000000788000-memory.dmp	vmprotect
behavioral2/files/0x0005000000022e2a-135.dat	vmprotect
behavioral2/memory/3152-144-0x0000000000730000-0x0000000000788000-memory.dmp	vmprotect
behavioral2/memory/3152-146-0x0000000000730000-0x0000000000788000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe

Loads dropped DLL 4 IoCs

pid	Process
3152	XFilesHack.exe
3152	XFilesHack.exe
3152	XFilesHack.exe
3152	XFilesHack.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\XFilesHack.exe	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\zlib1.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\zlib1.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\msvcp100.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\msvcr100.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\FahmyXFiles.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\__tmp_rar_sfx_access_check_240573546	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\XFilesHack.exe	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\msvcp100.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\libcurl.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File opened for modification	C:\Windows\SysWOW64\XFilesHack\2.0\libcurl.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\msvcr100.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
File created	C:\Windows\SysWOW64\XFilesHack\2.0\FahmyXFiles.dll	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3152	XFilesHack.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\5ca5452nsda.000	XFilesHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3152	5004	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe	83
PID 5004 wrote to memory of 3152	5004	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe	83
PID 5004 wrote to memory of 3152	5004	f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe	83

C:\Users\Admin\AppData\Local\Temp\f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe
"C:\Users\Admin\AppData\Local\Temp\f5034eb24cd8cdf06921e03fc3147f012199d7dc00ac4da39417be7bf02be50d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\XFilesHack\2.0\XFilesHack.exe
  "C:\Windows\system32\XFilesHack\2.0\XFilesHack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XFilesHack\2.0\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\XFilesHack.exe

Filesize
192KB

MD5
165c8b03bd9d2e4ae6585ce5f6709e39

SHA1
ab819340411b39d7270dead8f102986970b542ab

SHA256
47ffebb38d417ed3b6226ace93842ee973af59b1e255a8b62acfdd9f4006d7fe

SHA512
cec4e60853195921cc2bc0e2269c9cb50c702769c91d22d8ec476666eeac8b632c17a22c0d79022abfb5e3f7555e6d6cda0e4b94f656f7eb5882a3c6210affd8

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\XFilesHack.exe

Filesize
192KB

MD5
165c8b03bd9d2e4ae6585ce5f6709e39

SHA1
ab819340411b39d7270dead8f102986970b542ab

SHA256
47ffebb38d417ed3b6226ace93842ee973af59b1e255a8b62acfdd9f4006d7fe

SHA512
cec4e60853195921cc2bc0e2269c9cb50c702769c91d22d8ec476666eeac8b632c17a22c0d79022abfb5e3f7555e6d6cda0e4b94f656f7eb5882a3c6210affd8

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\libcurl.dll

Filesize
264KB

MD5
d0f3b3aaa109a1ea8978c83d23055eb1

SHA1
c975f714d414a259980b94f9bba67b2d680740de

SHA256
433dc95e1f1c822033424c993c0a731edd12a0cdf0185a2efaa50da4515076b5

SHA512
6283ba2aa068202a75025ea88f266fd2a34ea175f318cc017c70b61d5055765d60f91142baa538cc6aff206412a5c425a6a06cb1bfef9046eba29269f6e61883

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\libcurl.dll

Filesize
264KB

MD5
d0f3b3aaa109a1ea8978c83d23055eb1

SHA1
c975f714d414a259980b94f9bba67b2d680740de

SHA256
433dc95e1f1c822033424c993c0a731edd12a0cdf0185a2efaa50da4515076b5

SHA512
6283ba2aa068202a75025ea88f266fd2a34ea175f318cc017c70b61d5055765d60f91142baa538cc6aff206412a5c425a6a06cb1bfef9046eba29269f6e61883

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\msvcp100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\zlib1.dll

Filesize
105KB

MD5
b8a9e91134e7c89440a0f95470d5e47b

SHA1
3cbcee30fc0a7e9807931bc0dafceb627042bfc9

SHA256
42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71

SHA512
e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Download Submit
C:\Windows\SysWOW64\XFilesHack\2.0\zlib1.dll

Filesize
105KB

MD5
b8a9e91134e7c89440a0f95470d5e47b

SHA1
3cbcee30fc0a7e9807931bc0dafceb627042bfc9

SHA256
42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71

SHA512
e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54

Download Submit
memory/3152-134-0x0000000000730000-0x0000000000788000-memory.dmp

Filesize
352KB

Download
memory/3152-144-0x0000000000730000-0x0000000000788000-memory.dmp

Filesize
352KB

Download
memory/3152-146-0x0000000000730000-0x0000000000788000-memory.dmp

Filesize
352KB

Download