5c28b949507a6330ec9e768251131e823e1ed1587b5e8913c9e70009f235e9bb

Analysis

max time kernel
221s
max time network
285s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base/FCUI.exe
Size

365KB
MD5

376167b2e31a2af37f27cba5fd66467d
SHA1

e7812d3631dbe9d68e86151705a21c0f845a31b5
SHA256

735d089135087ee6b9bbac999eace92939dd4c33a60b5d72049df15bc01854bb
SHA512

fef3a6d708e13e548dce554b1aee224ff7f851970e3eae01805ec0e856c797e8ef25db853a1ce2c6098f68148c2c2c233768dc3db650b034582bed335e700fd5
SSDEEP

6144:8WpaPLItYxGc8G5zD2yFtqLItYxGc8G5z/2yF/d+o5JVHT0xAd3TpDS16UHXrOwN:6PLIWGw5zD2yCLIWGw5z/2yD+mXzgG3k

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FCUI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\FreeCoinsUpdater = "C:\\Users\\Admin\\AppData\\Local\\FCU\\OSUpdater.exe"	FCUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\FreeCoinsStartup = "C:\\Users\\Admin\\AppData\\Local\\FCM\\DBStack.exe"	FCUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

FCUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	FCUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FCUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FCUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FCUI.exe

description pid process

Token: SeDebugPrivilege 1500 FCUI.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

FCUI.exe

pid process

1500 FCUI.exe
1500 FCUI.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

FCUI.exe

pid process

1500 FCUI.exe
1500 FCUI.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

FCUI.exe

pid process

1500 FCUI.exe
1500 FCUI.exe

description	pid	process
Token: SeDebugPrivilege	1500	FCUI.exe

pid	process
1500	FCUI.exe
1500	FCUI.exe

pid	process
1500	FCUI.exe
1500	FCUI.exe

pid	process
1500	FCUI.exe
1500	FCUI.exe

C:\Users\Admin\AppData\Local\Temp\base\FCUI.exe
"C:\Users\Admin\AppData\Local\Temp\base\FCUI.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-54-0x0000000000030000-0x0000000000090000-memory.dmp

Filesize
384KB

Download
memory/1500-55-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/1500-56-0x0000000000530000-0x0000000000598000-memory.dmp

Filesize
416KB

Download
memory/1500-57-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/1500-58-0x000000001B186000-0x000000001B1A5000-memory.dmp

Filesize
124KB

Download
memory/1500-59-0x000000001B186000-0x000000001B1A5000-memory.dmp

Filesize
124KB

Download
memory/1500-60-0x000000001FD50000-0x00000000204F6000-memory.dmp

Filesize
7.6MB

Download