487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef

General

Target

487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe
Size

526KB
MD5

a26fc8978ce4ccf4dba649ea97d30cf0
SHA1

d7d053844e3b49ba32aae8da138e7038ad358525
SHA256

487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef
SHA512

42666ee91a73da4cb93fea845d9fd9e4f963b3667672b7520dd70315e71c3e7db34d2b8f0ba8d27bd14b1fe95530b261ef81e8a269aae238d686d3d085069cc1
SSDEEP

12288:+2yIkq55Y3P7u4xxBDaVFfR4dq5hc8xGJSDNndQQ:+xIH55A592L4ozbeSDNKQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4756	3fsop2798FS.exe
4808	4fsop2798FS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2288	4756	WerFault.exe	81
2808	4756	WerFault.exe	81

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4808	4fsop2798FS.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	4fsop2798FS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 4756	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	81
PID 4336 wrote to memory of 4756	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	81
PID 4336 wrote to memory of 4756	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	81
PID 4336 wrote to memory of 4808	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	82
PID 4336 wrote to memory of 4808	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	82
PID 4336 wrote to memory of 4808	4336	487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe	82
PID 4756 wrote to memory of 2288	4756	3fsop2798FS.exe	86
PID 4756 wrote to memory of 2288	4756	3fsop2798FS.exe	86
PID 4756 wrote to memory of 2288	4756	3fsop2798FS.exe	86

C:\Users\Admin\AppData\Local\Temp\487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe
"C:\Users\Admin\AppData\Local\Temp\487bd485166f31de81edd92dca5b44355aef12ea51b7c27ac2013fc5852afbef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Users\Admin\AppData\Roaming\3fsop2798FS.exe
  "C:\Users\Admin\AppData\Roaming\3fsop2798FS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 824
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 824
    3⤵
    - Program crash
    PID:2808
- C:\Users\Admin\AppData\Roaming\4fsop2798FS.exe
  "C:\Users\Admin\AppData\Roaming\4fsop2798FS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3fsop2798FS.exe

Filesize
31KB

MD5
32fa510705144746d72d7da997322620

SHA1
4253109a05f332dc4b23d7701e6b9dacd95563ed

SHA256
1d72500284a97f99616e31e1a5cdd545972f94a773c0369b5a9792a56e0796ed

SHA512
22be6b5d34e91c1ce52f5e1e225451af4454929c82c4821760b7ad3082c3800320c4929dc5210857a29080f562d5b9bd106b06fbb94b033ec396250a37cd1209

Download Submit
C:\Users\Admin\AppData\Roaming\3fsop2798FS.exe

Filesize
31KB

MD5
32fa510705144746d72d7da997322620

SHA1
4253109a05f332dc4b23d7701e6b9dacd95563ed

SHA256
1d72500284a97f99616e31e1a5cdd545972f94a773c0369b5a9792a56e0796ed

SHA512
22be6b5d34e91c1ce52f5e1e225451af4454929c82c4821760b7ad3082c3800320c4929dc5210857a29080f562d5b9bd106b06fbb94b033ec396250a37cd1209

Download Submit
C:\Users\Admin\AppData\Roaming\4fsop2798FS.exe

Filesize
275KB

MD5
ffe724d2c15681e9ac18443e025db53e

SHA1
df511ea15506b0977a1e611af73ee9d9d518e5ea

SHA256
652bd5e291a964ff1cfbb4f8d12a953fd356e67fb17fbc5c05da799467d936cf

SHA512
fdcedc35bdad3a2d2c3ad9d1e6ec43d9f2ed6e22c919ed75101231b7ef86fb2a820fc8fc6bbe9c9f80502c1c575771f9ac3c9500cd1d4679bd19fa6ce9fb8973

Download Submit
C:\Users\Admin\AppData\Roaming\4fsop2798FS.exe

Filesize
275KB

MD5
ffe724d2c15681e9ac18443e025db53e

SHA1
df511ea15506b0977a1e611af73ee9d9d518e5ea

SHA256
652bd5e291a964ff1cfbb4f8d12a953fd356e67fb17fbc5c05da799467d936cf

SHA512
fdcedc35bdad3a2d2c3ad9d1e6ec43d9f2ed6e22c919ed75101231b7ef86fb2a820fc8fc6bbe9c9f80502c1c575771f9ac3c9500cd1d4679bd19fa6ce9fb8973

Download Submit
memory/4336-132-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4336-139-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-140-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/4756-142-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4808-141-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-143-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing