e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100

General

Target

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Size

1.4MB
MD5

71cf9e17f89c88d5e287017149e04af8
SHA1

a822a06b3efaea3a17bfb8d17e549f8a904bba2a
SHA256

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100
SHA512

74e7f8af01a77716a0a6625ede3b0d8cac50c1f93f27eb146248c4d32737268fb26f3d7da0db6f9b5b5d5189f63b2007d94f80d61fc92b9b70dfe406c0fc0437
SSDEEP

24576:YDOdboF3zDAL08WR42XibVaUXWskvhSrC6DDNbswu6aJ2k:Jg3wzAl6XxkpODNbRah

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

FB_FDCA.tmp.exeFB_FDD9.tmp.exeHost.exe

pid process

1292 FB_FDCA.tmp.exe
3372 FB_FDD9.tmp.exe
4576 Host.exe

pid	process
1292	FB_FDCA.tmp.exe
3372	FB_FDD9.tmp.exe
4576	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FB_FDD9.tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64D26Q-732M-57FF-5QQB-A633DI5FIF36}	FB_FDD9.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D64D26Q-732M-57FF-5QQB-A633DI5FIF36}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FB_FDD9.tmp.exe\""	FB_FDD9.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeFB_FDCA.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	FB_FDCA.tmp.exe

Drops startup file 1 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeFB_FDD9.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	FB_FDD9.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FB_FDD9.tmp.exe"	FB_FDD9.tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

description	pid	process	target process
PID 1824 set thread context of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 set thread context of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

pid	process
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

pid	process
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.execmd.exenet.exeiexplore.exee1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exeFB_FDCA.tmp.exe

description	pid	process	target process
PID 1824 wrote to memory of 4696	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1824 wrote to memory of 4696	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1824 wrote to memory of 4696	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	cmd.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 1824 wrote to memory of 2156	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	iexplore.exe
PID 4696 wrote to memory of 1936	4696	cmd.exe	net.exe
PID 4696 wrote to memory of 1936	4696	cmd.exe	net.exe
PID 4696 wrote to memory of 1936	4696	cmd.exe	net.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1824 wrote to memory of 2404	1824	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
PID 1936 wrote to memory of 1784	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1784	1936	net.exe	net1.exe
PID 1936 wrote to memory of 1784	1936	net.exe	net1.exe
PID 2156 wrote to memory of 3372	2156	iexplore.exe	FB_FDD9.tmp.exe
PID 2156 wrote to memory of 3372	2156	iexplore.exe	FB_FDD9.tmp.exe
PID 2156 wrote to memory of 3372	2156	iexplore.exe	FB_FDD9.tmp.exe
PID 2404 wrote to memory of 1292	2404	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_FDCA.tmp.exe
PID 2404 wrote to memory of 1292	2404	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_FDCA.tmp.exe
PID 2404 wrote to memory of 1292	2404	e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe	FB_FDCA.tmp.exe
PID 1292 wrote to memory of 4576	1292	FB_FDCA.tmp.exe	Host.exe
PID 1292 wrote to memory of 4576	1292	FB_FDCA.tmp.exe	Host.exe
PID 1292 wrote to memory of 4576	1292	FB_FDCA.tmp.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
"C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:1784

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\FB_FDD9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_FDD9.tmp.exe"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3372

C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
C:\Users\Admin\AppData\Local\Temp\e1d63956ed3d44aa0eb19c4964c1b84909fde1ab5e96d99812684ac9341f6100.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\FB_FDCA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_FDCA.tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_FDCA.tmp.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_FDCA.tmp.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_FDD9.tmp.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_FDD9.tmp.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
68KB

MD5
f3208f5f678309f72534b7495e59a732

SHA1
907dc10816898f14a5f9c8fc8871342f709b4467

SHA256
e9c3ee481ec43c32e05b36790bd067f67cf07c06a923f9c5d276d2b216bf64e2

SHA512
523a38a8d4d1e31a8c82d8e06f4ad511e252f79f83a57abbd9841d52f9691c802bd6b5b7b59f23f3ab19821b82890440566f9f17e820bc582f6801e616a86ac5

Download Submit
memory/1292-142-0x0000000000000000-mapping.dmp

Download
memory/1784-140-0x0000000000000000-mapping.dmp

Download
memory/1824-132-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/1936-134-0x0000000000000000-mapping.dmp

Download
memory/2404-136-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2404-139-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2404-138-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2404-135-0x0000000000000000-mapping.dmp

Download
memory/3372-141-0x0000000000000000-mapping.dmp

Download
memory/4576-147-0x0000000000000000-mapping.dmp

Download
memory/4696-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads