ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779

General

Target

ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
Size

311KB
MD5

d9294393411d0209fa4eb7137328e038
SHA1

4f31f994bcd12af33f9d83c1b47d442bbc5f0cc8
SHA256

ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779
SHA512

678d942bef81c6a4198b676009727d4bc3c0384ca1a0fe781c19a197a81172d500327a3f73bf82c61dd854ac39b2ef52ca7f472ed6febb63c0d2bd40df500f3c
SSDEEP

6144:ZLYQsaVDWfhfW4VbATQ8eQ98Y0WRht0OYHWF479FYjDJ0jAGA:ZLlIfNP0TQ87sOt05HWiBOCj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fiico.exe

pid process

1752 fiico.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1412 cmd.exe

pid	process
1412	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe

pid	process
1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fiico.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	fiico.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Aplyer\\fiico.exe"	fiico.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe

description	pid	process	target process
PID 1676 set thread context of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

fiico.exe

pid	process
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe
1752	fiico.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exefiico.exe

description	pid	process	target process
PID 1676 wrote to memory of 1752	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	fiico.exe
PID 1676 wrote to memory of 1752	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	fiico.exe
PID 1676 wrote to memory of 1752	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	fiico.exe
PID 1676 wrote to memory of 1752	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	fiico.exe
PID 1752 wrote to memory of 1116	1752	fiico.exe	taskhost.exe
PID 1752 wrote to memory of 1116	1752	fiico.exe	taskhost.exe
PID 1752 wrote to memory of 1116	1752	fiico.exe	taskhost.exe
PID 1752 wrote to memory of 1116	1752	fiico.exe	taskhost.exe
PID 1752 wrote to memory of 1116	1752	fiico.exe	taskhost.exe
PID 1752 wrote to memory of 1212	1752	fiico.exe	Dwm.exe
PID 1752 wrote to memory of 1212	1752	fiico.exe	Dwm.exe
PID 1752 wrote to memory of 1212	1752	fiico.exe	Dwm.exe
PID 1752 wrote to memory of 1212	1752	fiico.exe	Dwm.exe
PID 1752 wrote to memory of 1212	1752	fiico.exe	Dwm.exe
PID 1752 wrote to memory of 1244	1752	fiico.exe	Explorer.EXE
PID 1752 wrote to memory of 1244	1752	fiico.exe	Explorer.EXE
PID 1752 wrote to memory of 1244	1752	fiico.exe	Explorer.EXE
PID 1752 wrote to memory of 1244	1752	fiico.exe	Explorer.EXE
PID 1752 wrote to memory of 1244	1752	fiico.exe	Explorer.EXE
PID 1752 wrote to memory of 1676	1752	fiico.exe	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
PID 1752 wrote to memory of 1676	1752	fiico.exe	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
PID 1752 wrote to memory of 1676	1752	fiico.exe	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
PID 1752 wrote to memory of 1676	1752	fiico.exe	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
PID 1752 wrote to memory of 1676	1752	fiico.exe	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe
PID 1676 wrote to memory of 1412	1676	ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe
"C:\Users\Admin\AppData\Local\Temp\ff95458746d7d667cbea2ab5ff55ed88bd7055fe5f15b73adb1c04266eb7d779.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Aplyer\fiico.exe
"C:\Users\Admin\AppData\Roaming\Aplyer\fiico.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpabb9e77e.bat"
3⤵
- Deletes itself
PID:1412

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpabb9e77e.bat
Filesize
307B

MD5
070b33bc33c2940f4ea7847dc8122836

SHA1
eeb4712f9ed81ce7389badb086149bcf8b1903eb

SHA256
ce724b7787f24a83b4a94a1a1c1bae76e840d4cec37a46aca8751c0b4dae6cd8

SHA512
7d566ab209cddc1d7635a57eb45e4e84aca2bdf7a4be8bd3b1e9cb4be1c8ece08ea9b6d41e88f129d3b8197e1e294095a3bb7df46f046894a560c1b20ce9b3cc

Download Submit
C:\Users\Admin\AppData\Roaming\Aplyer\fiico.exe
Filesize
311KB

MD5
cc0d21ac09f35f78be64548ed1961de4

SHA1
43f09848e531a2dba7acdb516db2000fefbbbd83

SHA256
92bbecd371414ba62a0bcaf686eb5cba4b5a97c1040b1e07299ce84b70d9fef4

SHA512
db3ed75f101d24cb855dc263780901379fbf2917629b002e1123a38f03331e614ed0edf738253c8264de24b13055b1b9d8043e6aa276e59e842b3e47723a0ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Aplyer\fiico.exe
Filesize
311KB

MD5
cc0d21ac09f35f78be64548ed1961de4

SHA1
43f09848e531a2dba7acdb516db2000fefbbbd83

SHA256
92bbecd371414ba62a0bcaf686eb5cba4b5a97c1040b1e07299ce84b70d9fef4

SHA512
db3ed75f101d24cb855dc263780901379fbf2917629b002e1123a38f03331e614ed0edf738253c8264de24b13055b1b9d8043e6aa276e59e842b3e47723a0ddd

Download Submit
\Users\Admin\AppData\Roaming\Aplyer\fiico.exe
Filesize
311KB

MD5
cc0d21ac09f35f78be64548ed1961de4

SHA1
43f09848e531a2dba7acdb516db2000fefbbbd83

SHA256
92bbecd371414ba62a0bcaf686eb5cba4b5a97c1040b1e07299ce84b70d9fef4

SHA512
db3ed75f101d24cb855dc263780901379fbf2917629b002e1123a38f03331e614ed0edf738253c8264de24b13055b1b9d8043e6aa276e59e842b3e47723a0ddd

Download Submit
\Users\Admin\AppData\Roaming\Aplyer\fiico.exe
Filesize
311KB

MD5
cc0d21ac09f35f78be64548ed1961de4

SHA1
43f09848e531a2dba7acdb516db2000fefbbbd83

SHA256
92bbecd371414ba62a0bcaf686eb5cba4b5a97c1040b1e07299ce84b70d9fef4

SHA512
db3ed75f101d24cb855dc263780901379fbf2917629b002e1123a38f03331e614ed0edf738253c8264de24b13055b1b9d8043e6aa276e59e842b3e47723a0ddd

Download Submit
memory/1116-69-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1116-65-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1116-67-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1116-68-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1116-70-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1212-73-0x00000000019C0000-0x0000000001A08000-memory.dmp

Filesize
288KB

Download
memory/1212-74-0x00000000019C0000-0x0000000001A08000-memory.dmp

Filesize
288KB

Download
memory/1212-75-0x00000000019C0000-0x0000000001A08000-memory.dmp

Filesize
288KB

Download
memory/1212-76-0x00000000019C0000-0x0000000001A08000-memory.dmp

Filesize
288KB

Download
memory/1244-81-0x00000000029E0000-0x0000000002A28000-memory.dmp

Filesize
288KB

Download
memory/1244-82-0x00000000029E0000-0x0000000002A28000-memory.dmp

Filesize
288KB

Download
memory/1244-80-0x00000000029E0000-0x0000000002A28000-memory.dmp

Filesize
288KB

Download
memory/1244-79-0x00000000029E0000-0x0000000002A28000-memory.dmp

Filesize
288KB

Download
memory/1412-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1412-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-115-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1412-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1412-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1412-103-0x000000000005BBB4-mapping.dmp

Download
memory/1412-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1412-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1412-98-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1676-86-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/1676-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1676-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1676-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-91-0x00000000002E0000-0x0000000000334000-memory.dmp

Filesize
336KB

Download
memory/1676-104-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/1676-88-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/1676-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-87-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/1676-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1676-85-0x00000000002E0000-0x0000000000328000-memory.dmp

Filesize
288KB

Download
memory/1676-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1752-62-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1752-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads