Analysis
-
max time kernel
151s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 15:20
Static task
static1
Behavioral task
behavioral1
Sample
8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe
-
Size
260KB
-
MD5
0e89b140c3393615a3fc815f290f8b1b
-
SHA1
1998e24ee4b1f4d028653c1494ca90417e2ff2f3
-
SHA256
8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac
-
SHA512
0bb8d744492e763cc3baff0c93256f8fe65530797c9caf32411ea93b9a282f1f83774473ad975921f1df8faca559b067d1c0d55273962dbc0b44db6d23c97d28
-
SSDEEP
3072:6gfAlNGvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVa:6dLgTSrMaIl/jcLijfHFEHWzXvjT85R
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fiaob.exe -
Executes dropped EXE 1 IoCs
pid Process 4832 fiaob.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /I" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /h" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /T" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /V" fiaob.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /E" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /s" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /g" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /L" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /u" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /f" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /M" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /t" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /P" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /e" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /k" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /N" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /A" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /C" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /i" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /Y" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /b" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /G" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /p" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /Q" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /y" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /w" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /R" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /m" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /d" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /F" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /X" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /K" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /S" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /J" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /q" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /j" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /D" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /n" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /c" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /r" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /Z" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /W" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /U" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /o" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /H" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /O" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /x" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /a" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /l" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /v" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /B" fiaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiaob = "C:\\Users\\Admin\\fiaob.exe /z" fiaob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe 4832 fiaob.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2400 8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe 4832 fiaob.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2400 wrote to memory of 4832 2400 8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe 79 PID 2400 wrote to memory of 4832 2400 8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe 79 PID 2400 wrote to memory of 4832 2400 8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe"C:\Users\Admin\AppData\Local\Temp\8f482dac0944cb3e893f071256f648d19978ade4bdbe3adfa59e4860810234ac.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\fiaob.exe"C:\Users\Admin\fiaob.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4832
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD51db3e965966a4a6a1180da9dea7ff669
SHA1af25be4edb5d23251b723fb13cf5f63ce57d0aaf
SHA2565a28d8dfc1866876f305299f75691279e1e7d33c5f5882a6f925a8e4ed288a97
SHA51275d4f4a239028ffdb996de5ed0398da9782ff024cc21e1282a37febc5b3b3e25c5c08ef3435d16d59e087ef16b577bcf13fc8b1a2035ffeffd13cf94a7ddc119
-
Filesize
260KB
MD51db3e965966a4a6a1180da9dea7ff669
SHA1af25be4edb5d23251b723fb13cf5f63ce57d0aaf
SHA2565a28d8dfc1866876f305299f75691279e1e7d33c5f5882a6f925a8e4ed288a97
SHA51275d4f4a239028ffdb996de5ed0398da9782ff024cc21e1282a37febc5b3b3e25c5c08ef3435d16d59e087ef16b577bcf13fc8b1a2035ffeffd13cf94a7ddc119