1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab

General

Target

1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe
Size

176KB
MD5

101dca1482e21af2aa8e71921bc0c7c9
SHA1

2ae066e11fe756f2ba8dbc57866680d9bc4f6322
SHA256

1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab
SHA512

4ba2b655b852931bc5a23aca4363a3b9468dfb2897be96e17c9a04940bc512b1bc49894385190f27ea80b18c59afe883711e3e034791f6de172308418d7102d0
SSDEEP

1536:YE/v3Gauw4eSU9A8tJyjlHQA7Mvi3zyXdTDGmnyZyonvZvRbcUC7iwG586P:PAw4eSD8tJel3eXdTD5MnvZvsiF5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	fbkkjp.exe

Deletes itself 1 IoCs

pid	Process
828	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
828	cmd.exe
828	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\rfbkk\\command	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\rfbkk	fbkkjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\rfbkk	fbkkjp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
796	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 828	1324	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	27
PID 1324 wrote to memory of 828	1324	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	27
PID 1324 wrote to memory of 828	1324	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	27
PID 1324 wrote to memory of 828	1324	1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe	27
PID 828 wrote to memory of 2008	828	cmd.exe	29
PID 828 wrote to memory of 2008	828	cmd.exe	29
PID 828 wrote to memory of 2008	828	cmd.exe	29
PID 828 wrote to memory of 2008	828	cmd.exe	29
PID 828 wrote to memory of 796	828	cmd.exe	30
PID 828 wrote to memory of 796	828	cmd.exe	30
PID 828 wrote to memory of 796	828	cmd.exe	30
PID 828 wrote to memory of 796	828	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe
"C:\Users\Admin\AppData\Local\Temp\1fa5f7be9a82c4cffd894eb71498d2ad86a850193e52ea02178800d0a35cdbab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\gwayhxm.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\fbkkjp.exe
    "C:\Users\Admin\AppData\Local\Temp\fbkkjp.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2008
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbkkjp.exe

Filesize
140KB

MD5
f6cb38b25c4041270a4315621ab6801c

SHA1
633ffdef28ff0c6d4f4e483f298b6a3b09826b6d

SHA256
49ac1d39ad5cdf894994e81be2436ee9234d9893c9fba65aafcce4046bc06145

SHA512
103ca9929e5f888dff8f20d2391f3f65af4b0620c572db1122d757e9eaafab5a719a29ad11dc949e8ecef28d49447d418e2d8cfae43fdfe2070442f2564777de

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbkkjp.exe

Filesize
140KB

MD5
f6cb38b25c4041270a4315621ab6801c

SHA1
633ffdef28ff0c6d4f4e483f298b6a3b09826b6d

SHA256
49ac1d39ad5cdf894994e81be2436ee9234d9893c9fba65aafcce4046bc06145

SHA512
103ca9929e5f888dff8f20d2391f3f65af4b0620c572db1122d757e9eaafab5a719a29ad11dc949e8ecef28d49447d418e2d8cfae43fdfe2070442f2564777de

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwayhxm.bat

Filesize
124B

MD5
5752f557b2b9fa237c0333ddd34e2390

SHA1
b7f656bf6bb58c2825775fa741979cbb2d08c66f

SHA256
81728e873eea12b56d32302ac19e51a0a87c97ce950404a6ace5d95087bbc8a0

SHA512
6201ed44c2c5e843dab688bdcd1637b49e88c1a22ff5376d29b4cddc20049507727ba97120d9343c7694fcefd5d4e71f4080960c3f416336442ddaab50523fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\riikhf.bat

Filesize
188B

MD5
1df4ed40d038155cdad59c91b617cd6a

SHA1
0aeab6b4d9669f9771fb93dc747932f97d783c02

SHA256
b5c748809c9ffeb5f56728be412ae05f759492d576d9007239d603a024f9f733

SHA512
9430e68deaa2b9062989cf5329e0afb92eb2b9906f841ed1b6e4283a28c9a1790790b9967a2b4688b236d39680b9b8083275b5de2fa7edd202d159aea92165c9

Download Submit
\Users\Admin\AppData\Local\Temp\fbkkjp.exe

Filesize
140KB

MD5
f6cb38b25c4041270a4315621ab6801c

SHA1
633ffdef28ff0c6d4f4e483f298b6a3b09826b6d

SHA256
49ac1d39ad5cdf894994e81be2436ee9234d9893c9fba65aafcce4046bc06145

SHA512
103ca9929e5f888dff8f20d2391f3f65af4b0620c572db1122d757e9eaafab5a719a29ad11dc949e8ecef28d49447d418e2d8cfae43fdfe2070442f2564777de

Download Submit
\Users\Admin\AppData\Local\Temp\fbkkjp.exe

Filesize
140KB

MD5
f6cb38b25c4041270a4315621ab6801c

SHA1
633ffdef28ff0c6d4f4e483f298b6a3b09826b6d

SHA256
49ac1d39ad5cdf894994e81be2436ee9234d9893c9fba65aafcce4046bc06145

SHA512
103ca9929e5f888dff8f20d2391f3f65af4b0620c572db1122d757e9eaafab5a719a29ad11dc949e8ecef28d49447d418e2d8cfae43fdfe2070442f2564777de

Download Submit
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing