9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528

Analysis

max time kernel
149s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe
Size

277KB
MD5

4d0a883bb0d24c1942bd40ed9f9c1148
SHA1

b304ad3db51c17b88bec29b1e5e469e12e6c8973
SHA256

9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528
SHA512

d8275c07970811afb49eb315d5aa95fe32eb24ea1c6ccdb3ef1f3f827bc496e370f460c5a8227a5f62cbc890e5540016f35ecb58142d670c249878a06cabcc94
SSDEEP

6144:Ka4InuJg58BkgqPoDH49n8Bb/ccKiQuJcw1nc6:Kat0EAH49n8BiAJcw1c6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fplayer.exefplayer.exe

pid process

3972 fplayer.exe
3392 fplayer.exe

pid	process
3972	fplayer.exe
3392	fplayer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fplayer.exe

description pid process target process

PID 3972 set thread context of 3392 3972 fplayer.exe fplayer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fplayer.exe

pid process

3972 fplayer.exe
3972 fplayer.exe
3972 fplayer.exe
3972 fplayer.exe

description	pid	process	target process
PID 3972 set thread context of 3392	3972	fplayer.exe	fplayer.exe

pid	process
3972	fplayer.exe
3972	fplayer.exe
3972	fplayer.exe
3972	fplayer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exefplayer.exe

description	pid	process	target process
PID 4236 wrote to memory of 3972	4236	9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe	fplayer.exe
PID 4236 wrote to memory of 3972	4236	9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe	fplayer.exe
PID 4236 wrote to memory of 3972	4236	9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe
PID 3972 wrote to memory of 3392	3972	fplayer.exe	fplayer.exe

C:\Users\Admin\AppData\Local\Temp\9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe
"C:\Users\Admin\AppData\Local\Temp\9d1622d83303bbe913bbbd7974c90a1cee88046188764ffaa796f610dffd1528.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe
"C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe
"C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe"
3⤵
- Executes dropped EXE
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe
Filesize
149KB

MD5
d67e024533fb9adf514b9ec62b7ec2c3

SHA1
f17ff6b18523ebdf12a811d5a390943b584c884b

SHA256
ca4f990ea198a221c6eaba11d28e8dc153a44efde565bcc2afc996c374739edb

SHA512
79c33d56dcde6899358500245a7a3ed79f6f6c012662f3ca2abd182dfb5cde38393831e312e98715769adbf1797fa8044e275aab2ca7e61470d9e48be7073f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe
Filesize
149KB

MD5
d67e024533fb9adf514b9ec62b7ec2c3

SHA1
f17ff6b18523ebdf12a811d5a390943b584c884b

SHA256
ca4f990ea198a221c6eaba11d28e8dc153a44efde565bcc2afc996c374739edb

SHA512
79c33d56dcde6899358500245a7a3ed79f6f6c012662f3ca2abd182dfb5cde38393831e312e98715769adbf1797fa8044e275aab2ca7e61470d9e48be7073f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\fplayer\fplayer.exe
Filesize
149KB

MD5
d67e024533fb9adf514b9ec62b7ec2c3

SHA1
f17ff6b18523ebdf12a811d5a390943b584c884b

SHA256
ca4f990ea198a221c6eaba11d28e8dc153a44efde565bcc2afc996c374739edb

SHA512
79c33d56dcde6899358500245a7a3ed79f6f6c012662f3ca2abd182dfb5cde38393831e312e98715769adbf1797fa8044e275aab2ca7e61470d9e48be7073f69

Download Submit
memory/3392-135-0x0000000000000000-mapping.dmp

Download
memory/3392-136-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3972-132-0x0000000000000000-mapping.dmp

Download
memory/3972-138-0x00000000001F0000-0x00000000001F5000-memory.dmp

Filesize
20KB

Download