5c28b949507a6330ec9e768251131e823e1ed1587b5e8913c9e70009f235e9bb

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base/RunAppMonitor.bat
Size

100B
MD5

725126d44de4220cf95627bb04a6b1c5
SHA1

ce388a3befcec8aaa80a2d15c1d64681b97cd516
SHA256

97b940bb91f4c102a23c6654bc557fb37626790b0f50a3eb04e7b0c48d3719bc
SHA512

afc3ed66ea86b427e29249e961bbd350e89af63c2671b1278f647c61f3469018c753d1ac3b2d1e43a0424e5f6f8eda085eb626b14a81d21dbf62632725c5f4c9

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FCUI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FreeCoinsUpdater = "C:\\Users\\Admin\\AppData\\Local\\FCU\\OSUpdater.exe"	FCUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FreeCoinsStartup = "C:\\Users\\Admin\\AppData\\Local\\FCM\\DBStack.exe"	FCUI.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2036 936 WerFault.exe FCUI.exe

pid	pid_target	process	target process
2036	936	WerFault.exe	FCUI.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

FCUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	FCUI.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FCUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FCUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FCUI.exe

description pid process

Token: SeDebugPrivilege 936 FCUI.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FCUI.exe

pid process

936 FCUI.exe
936 FCUI.exe

description	pid	process
Token: SeDebugPrivilege	936	FCUI.exe

pid	process
936	FCUI.exe
936	FCUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exeFCUI.exe

description	pid	process	target process
PID 1104 wrote to memory of 936	1104	cmd.exe	FCUI.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	FCUI.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	FCUI.exe
PID 936 wrote to memory of 2036	936	FCUI.exe	WerFault.exe
PID 936 wrote to memory of 2036	936	FCUI.exe	WerFault.exe
PID 936 wrote to memory of 2036	936	FCUI.exe	WerFault.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\base\RunAppMonitor.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\base\FCUI.exe
  FCUI.exe startHidden
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 936 -s 2816
    3⤵
    - Program crash
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-54-0x0000000000000000-mapping.dmp

Download
memory/936-56-0x00000000011D0000-0x0000000001230000-memory.dmp

Filesize
384KB

Download
memory/936-57-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/936-58-0x0000000000580000-0x00000000005E8000-memory.dmp

Filesize
416KB

Download
memory/936-60-0x000000001AEA6000-0x000000001AEC5000-memory.dmp

Filesize
124KB

Download
memory/936-61-0x000000001FB80000-0x0000000020326000-memory.dmp

Filesize
7.6MB

Download
memory/936-63-0x000000001AEA6000-0x000000001AEC5000-memory.dmp

Filesize
124KB

Download
memory/1104-55-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000000000000-mapping.dmp

Download