Analysis
-
max time kernel
173s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Resource
win10v2004-20221111-en
General
-
Target
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
-
Size
851KB
-
MD5
82f01d8c0b2d91ea436408cd47552a9b
-
SHA1
cf91ce41e81fae3447cc222379c39b24996b5c85
-
SHA256
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58
-
SHA512
0111b9623b48e651918b7c445fd2c76d705f2349e853293dd585abab1f57008d44b70cadfcad55946eec87257edd9267c43003dcf6989feeeb62acdc44f1aa09
-
SSDEEP
24576:t9WOR12VcEw33nqhjisQiKLUvzD445D7vcUj:t9WObyGLLDKDH
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Fusebux-Instant-Money.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exepid process 3368 Fusebux-Instant-Money.exe 4432 Money-To-Your-Fusebux-Account-Instantly.exe 2244 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exeMoney-To-Your-Fusebux-Account-Instantly.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Money-To-Your-Fusebux-Account-Instantly.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe Token: 33 2244 svchost.exe Token: SeIncBasePriorityPrivilege 2244 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exedescription pid process target process PID 868 wrote to memory of 3368 868 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 868 wrote to memory of 3368 868 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 868 wrote to memory of 3368 868 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 868 wrote to memory of 4432 868 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 868 wrote to memory of 4432 868 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 4432 wrote to memory of 2244 4432 Money-To-Your-Fusebux-Account-Instantly.exe svchost.exe PID 4432 wrote to memory of 2244 4432 Money-To-Your-Fusebux-Account-Instantly.exe svchost.exe PID 2244 wrote to memory of 3148 2244 svchost.exe netsh.exe PID 2244 wrote to memory of 3148 2244 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe"C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe"C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe"C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exeFilesize
169KB
MD5a1ffe51d09de133a85d71b33d1c19f18
SHA12245c4b5d4f1d7652e651d6b1118798b46da8ef1
SHA2561de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb
SHA5120f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exeFilesize
169KB
MD5a1ffe51d09de133a85d71b33d1c19f18
SHA12245c4b5d4f1d7652e651d6b1118798b46da8ef1
SHA2561de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb
SHA5120f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\svchost.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\svchost.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
memory/868-132-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/868-139-0x0000000075000000-0x00000000755B1000-memory.dmpFilesize
5.7MB
-
memory/2244-149-0x0000000000000000-mapping.dmp
-
memory/2244-152-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmpFilesize
10.8MB
-
memory/2244-154-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmpFilesize
10.8MB
-
memory/3148-155-0x0000000000000000-mapping.dmp
-
memory/3368-147-0x00000000055A0000-0x00000000055F6000-memory.dmpFilesize
344KB
-
memory/3368-145-0x00000000053C0000-0x0000000005452000-memory.dmpFilesize
584KB
-
memory/3368-146-0x0000000005330000-0x000000000533A000-memory.dmpFilesize
40KB
-
memory/3368-141-0x00000000008C0000-0x00000000008F2000-memory.dmpFilesize
200KB
-
memory/3368-133-0x0000000000000000-mapping.dmp
-
memory/3368-144-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/3368-142-0x0000000005280000-0x000000000531C000-memory.dmpFilesize
624KB
-
memory/4432-148-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmpFilesize
10.8MB
-
memory/4432-140-0x0000000000970000-0x00000000009D0000-memory.dmpFilesize
384KB
-
memory/4432-136-0x0000000000000000-mapping.dmp
-
memory/4432-153-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmpFilesize
10.8MB
-
memory/4432-143-0x00007FFF2BC10000-0x00007FFF2C6D1000-memory.dmpFilesize
10.8MB