c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe
Size

310KB
MD5

a30f2c81df70be83d0d55bc82112dc00
SHA1

e977a5eec190b67efae9a98d2f0a34affa2de1bd
SHA256

c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed
SHA512

3805ce02f9a574d902d1e400e27139b5842b35fafa17a9179b0c86ce5d5a8a63c6c14c43ae387ad37fa685ddba4c1eaebbab70134cb4ae3277d6ee6884d508ff
SSDEEP

6144:m4gmYsNiApqa2VEcb9a6dYTuFIpxVVv8ZsmHRzlN:m49FNtqaQV9GuFehGB

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1836	faif.exe

Deletes itself 1 IoCs

pid	Process
1916	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe
1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	faif.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Ihqe\\faif.exe"	faif.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe
1836	faif.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1836	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	28
PID 1932 wrote to memory of 1836	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	28
PID 1932 wrote to memory of 1836	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	28
PID 1932 wrote to memory of 1836	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	28
PID 1836 wrote to memory of 1192	1836	faif.exe	16
PID 1836 wrote to memory of 1192	1836	faif.exe	16
PID 1836 wrote to memory of 1192	1836	faif.exe	16
PID 1836 wrote to memory of 1192	1836	faif.exe	16
PID 1836 wrote to memory of 1192	1836	faif.exe	16
PID 1836 wrote to memory of 1272	1836	faif.exe	15
PID 1836 wrote to memory of 1272	1836	faif.exe	15
PID 1836 wrote to memory of 1272	1836	faif.exe	15
PID 1836 wrote to memory of 1272	1836	faif.exe	15
PID 1836 wrote to memory of 1272	1836	faif.exe	15
PID 1836 wrote to memory of 1324	1836	faif.exe	14
PID 1836 wrote to memory of 1324	1836	faif.exe	14
PID 1836 wrote to memory of 1324	1836	faif.exe	14
PID 1836 wrote to memory of 1324	1836	faif.exe	14
PID 1836 wrote to memory of 1324	1836	faif.exe	14
PID 1836 wrote to memory of 1932	1836	faif.exe	27
PID 1836 wrote to memory of 1932	1836	faif.exe	27
PID 1836 wrote to memory of 1932	1836	faif.exe	27
PID 1836 wrote to memory of 1932	1836	faif.exe	27
PID 1836 wrote to memory of 1932	1836	faif.exe	27
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29
PID 1932 wrote to memory of 1916	1932	c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe
  "C:\Users\Admin\AppData\Local\Temp\c05786950e98389602621418e49718c76aacfd4e6dba0f313ba241cdaadf4fed.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Roaming\Ihqe\faif.exe
    "C:\Users\Admin\AppData\Roaming\Ihqe\faif.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp45577fdb.bat"
    3⤵
    - Deletes itself
    PID:1916

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp45577fdb.bat

Filesize
307B

MD5
a03f0aa0b2b6cd6f438b355a7456947b

SHA1
7d2c0e44479a8b55422253fec29d09e21c0336d1

SHA256
004203d1e84e0d3b51346f424e83532bfb52e66bfd2ab8dde0269ba044b042bb

SHA512
c8632faee136b28962ecefede6904765bf43586773579d090b29c4db3c902a0ef04d6036b5000ab0e7cfcdeaba6a85e18ccbd2e01683046ef1da75abab868e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Ihqe\faif.exe

Filesize
310KB

MD5
f23f6ed1a110cc5e605a53891d190711

SHA1
9658ff54dab7d333c0d79ac4b6fa74cf2b0b44b0

SHA256
751c4c786910ef36ff378ac672c623384912f87e5b595c7e1223db3a1e7f27e8

SHA512
d609b67dce6edacee0c67d10b4e468496c1d74ed9c6d2d0fa1eff5584778e6ad8cfdff6d5fbc758bd75c80fc2da04f0dbcc9c9cccfda038ecda707ab244b9cdb

Download Submit
C:\Users\Admin\AppData\Roaming\Ihqe\faif.exe

Filesize
310KB

MD5
f23f6ed1a110cc5e605a53891d190711

SHA1
9658ff54dab7d333c0d79ac4b6fa74cf2b0b44b0

SHA256
751c4c786910ef36ff378ac672c623384912f87e5b595c7e1223db3a1e7f27e8

SHA512
d609b67dce6edacee0c67d10b4e468496c1d74ed9c6d2d0fa1eff5584778e6ad8cfdff6d5fbc758bd75c80fc2da04f0dbcc9c9cccfda038ecda707ab244b9cdb

Download Submit
\Users\Admin\AppData\Roaming\Ihqe\faif.exe

Filesize
310KB

MD5
f23f6ed1a110cc5e605a53891d190711

SHA1
9658ff54dab7d333c0d79ac4b6fa74cf2b0b44b0

SHA256
751c4c786910ef36ff378ac672c623384912f87e5b595c7e1223db3a1e7f27e8

SHA512
d609b67dce6edacee0c67d10b4e468496c1d74ed9c6d2d0fa1eff5584778e6ad8cfdff6d5fbc758bd75c80fc2da04f0dbcc9c9cccfda038ecda707ab244b9cdb

Download Submit
\Users\Admin\AppData\Roaming\Ihqe\faif.exe

Filesize
310KB

MD5
f23f6ed1a110cc5e605a53891d190711

SHA1
9658ff54dab7d333c0d79ac4b6fa74cf2b0b44b0

SHA256
751c4c786910ef36ff378ac672c623384912f87e5b595c7e1223db3a1e7f27e8

SHA512
d609b67dce6edacee0c67d10b4e468496c1d74ed9c6d2d0fa1eff5584778e6ad8cfdff6d5fbc758bd75c80fc2da04f0dbcc9c9cccfda038ecda707ab244b9cdb

Download Submit
memory/1192-70-0x0000000001FE0000-0x0000000002028000-memory.dmp

Filesize
288KB

Download
memory/1192-68-0x0000000001FE0000-0x0000000002028000-memory.dmp

Filesize
288KB

Download
memory/1192-69-0x0000000001FE0000-0x0000000002028000-memory.dmp

Filesize
288KB

Download
memory/1192-65-0x0000000001FE0000-0x0000000002028000-memory.dmp

Filesize
288KB

Download
memory/1192-67-0x0000000001FE0000-0x0000000002028000-memory.dmp

Filesize
288KB

Download
memory/1272-75-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1272-73-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1272-74-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1272-76-0x0000000000340000-0x0000000000388000-memory.dmp

Filesize
288KB

Download
memory/1324-82-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1324-81-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1324-79-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1324-80-0x0000000002910000-0x0000000002958000-memory.dmp

Filesize
288KB

Download
memory/1916-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1916-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1916-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1916-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1916-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1916-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1932-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1932-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1932-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-103-0x0000000000380000-0x00000000003C8000-memory.dmp

Filesize
288KB

Download
memory/1932-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1932-88-0x0000000000380000-0x00000000003C8000-memory.dmp

Filesize
288KB

Download
memory/1932-87-0x0000000000380000-0x00000000003C8000-memory.dmp

Filesize
288KB

Download
memory/1932-86-0x0000000000380000-0x00000000003C8000-memory.dmp

Filesize
288KB

Download
memory/1932-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1932-85-0x0000000000380000-0x00000000003C8000-memory.dmp

Filesize
288KB

Download