Analysis
-
max time kernel
6s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 22:14
Static task
static1
Behavioral task
behavioral1
Sample
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Resource
win10v2004-20220901-en
General
-
Target
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
-
Size
369KB
-
MD5
b34f2b9affb33bfd5b0e614c98bc864f
-
SHA1
110b70ff3fe487de75344e1635752b5b850f7286
-
SHA256
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb
-
SHA512
64a4c5f40ee84041a576f288d834a76a9b94ebf0b5081cd07576493d6cbb1cf82ea2411e5997e9f161d2890b4b25a9373061765a0d1af7a353d9511165801b6c
-
SSDEEP
6144:PNlwo1G9mdL7G8Oi0Fb2GuIKlbaTSPfYq5c+ClSTAVVD3s3G:PNBumZh09g/gqbiK
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exepid process 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FudkaDrabu = "regsvr32.exe \"C:\\ProgramData\\FudkaDrabu\\FudkaDrabu.dat\"" 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe -
Modifies registry class 2 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{70D72ED6-49C4-472B-BD94-62ED1BD43E3B} 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{70D72ED6-49C4-472B-BD94-62ED1BD43E3B}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c393133623134636639313838373932306634393464303966666163356339623139393237663533326562353332353432373966396238646465316332373865622e65786500 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exepid process 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exedescription pid process Token: SeCreateGlobalPrivilege 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe Token: SeDebugPrivilege 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exedescription pid process target process PID 1848 wrote to memory of 796 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe fontdrvhost.exe PID 1848 wrote to memory of 796 1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe fontdrvhost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe"C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\FudkaDrabu\FudkaDrabu.datFilesize
252KB
MD53a678acae920d7d7c28128eab541a80b
SHA1857f960a3ee0db307b248f264e4bb02c4b4861e0
SHA25680f5f0489f8080e5dfd955e6235210bba61c7ca8cb0a1457c328ed11cd5a9431
SHA512d35ca5295435e230b0e3f2c364e9396e806aadb10e3032d1a35f5dde31689c60d0c2aad3d3eb4acae4b932c1ae734c8cdea735fe3a2b90378f11ae6cbba4809c
-
memory/1848-132-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1848-133-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1848-136-0x0000000075200000-0x0000000075268000-memory.dmpFilesize
416KB
-
memory/1848-137-0x0000000075200000-0x0000000075233000-memory.dmpFilesize
204KB