bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe
Size

156KB
MD5

1f7fd12d8b3f412715503fdfaf728ef0
SHA1

60ef8bf1068ea3f9e57916decb8dc8812488f1a1
SHA256

bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc
SHA512

28cc907dc38bb912d0c9abdf0570f6a2a6ed2cc1595b2d9f77510ab35376879f23fb47315b821b450e1a868ab8b61275559d290b46f87bfd1fe79982c67740db
SSDEEP

3072:y6oKL8OkxY7hCjG8G3GbGVGBGfGuGxGWYcrf6Kadk:y6FLvU+AYcD6Kad

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fkyoc.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	fkyoc.exe

Loads dropped DLL 2 IoCs

pid	Process
1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe
1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fkyoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\fkyoc = "C:\\Users\\Admin\\fkyoc.exe"	fkyoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe
1472	fkyoc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe
1472	fkyoc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1472	1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe	26
PID 1608 wrote to memory of 1472	1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe	26
PID 1608 wrote to memory of 1472	1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe	26
PID 1608 wrote to memory of 1472	1608	bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe	26
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25
PID 1472 wrote to memory of 1608	1472	fkyoc.exe	25

C:\Users\Admin\AppData\Local\Temp\bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe
"C:\Users\Admin\AppData\Local\Temp\bd04d5dc4d768d0ca4ad9a35745aa8f4032f1ef6932cf772dee24601cab236bc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\fkyoc.exe
  "C:\Users\Admin\fkyoc.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fkyoc.exe

Filesize
156KB

MD5
eed767a22ab3977da491f4c21c1a84e7

SHA1
08908f1063c7c477d74162e692bad05b1cca0de5

SHA256
498cd2e390b20a002b60fbf96311e7e76065aa5493c0ac032b419d8caacab6eb

SHA512
3380d10a8f56eb82c54ab8b286626090a33068d07c769b957efa17a78d8d52521835c94f37b44cb002d849f1f7ade23f5c79e7fa9a1b2202fa68313645021bdf

Download Submit
C:\Users\Admin\fkyoc.exe

Filesize
156KB

MD5
eed767a22ab3977da491f4c21c1a84e7

SHA1
08908f1063c7c477d74162e692bad05b1cca0de5

SHA256
498cd2e390b20a002b60fbf96311e7e76065aa5493c0ac032b419d8caacab6eb

SHA512
3380d10a8f56eb82c54ab8b286626090a33068d07c769b957efa17a78d8d52521835c94f37b44cb002d849f1f7ade23f5c79e7fa9a1b2202fa68313645021bdf

Download Submit
\Users\Admin\fkyoc.exe

Filesize
156KB

MD5
eed767a22ab3977da491f4c21c1a84e7

SHA1
08908f1063c7c477d74162e692bad05b1cca0de5

SHA256
498cd2e390b20a002b60fbf96311e7e76065aa5493c0ac032b419d8caacab6eb

SHA512
3380d10a8f56eb82c54ab8b286626090a33068d07c769b957efa17a78d8d52521835c94f37b44cb002d849f1f7ade23f5c79e7fa9a1b2202fa68313645021bdf

Download Submit
\Users\Admin\fkyoc.exe

Filesize
156KB

MD5
eed767a22ab3977da491f4c21c1a84e7

SHA1
08908f1063c7c477d74162e692bad05b1cca0de5

SHA256
498cd2e390b20a002b60fbf96311e7e76065aa5493c0ac032b419d8caacab6eb

SHA512
3380d10a8f56eb82c54ab8b286626090a33068d07c769b957efa17a78d8d52521835c94f37b44cb002d849f1f7ade23f5c79e7fa9a1b2202fa68313645021bdf

Download Submit
memory/1608-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download