Overview

overview

8

Static

static

fcf9bfdda1...92.exe

windows7-x64

8

fcf9bfdda1...92.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe

  • Size

    986KB

  • MD5

    f571f9ba675a979292735c5f3a1d4e09

  • SHA1

    d60929a1a78d39a86ee379b318ff96c79a861800

  • SHA256

    fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92

  • SHA512

    4e0b1ef15743158ea8cd9d13c5011de748e1583c8f0b9a21bb17806e8567b1046c8f3c050de678ec255c2ce0560689da1a85a61dc79c3b465caaa029ba04123c

  • SSDEEP

    24576:o5CvHHvH7MgHNCntKmrQTE2Wxn7rrAq4jungDygJOMWJO:pjqQmr97rwX0JO

Score
8/10
discoveryevasion

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 44 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 40 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe
    "C:\Users\Admin\AppData\Local\Temp\fcf9bfdda1dcbab86432fcf357390d8ab5e1c9f1ea5f39baf72d3150cd7c9d92.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\IIS\setup2.exe
      "C:\Windows\system32\IIS\setup2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\IIS\sxeCCDC.tmp
        "C:\Windows\SysWOW64\IIS\sxeCCDC.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt7143.bat
          4⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\SysWOW64\IIS\services.exe
            services -i
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:4864
          • C:\Windows\SysWOW64\attrib.exe
            attrib ../iis +h
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:1948
          • C:\Windows\SysWOW64\net.exe
            net start "Sound Management"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start "Sound Management"
              6⤵
                PID:4348
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s mirc.reg
              5⤵
              • Runs .reg file with regedit
              PID:3436
            • C:\Windows\SysWOW64\net.exe
              net start "Sound Management"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4772
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 start "Sound Management"
                6⤵
                  PID:3984
      • C:\Windows\SysWOW64\IIS\services.exe
        C:\Windows\SysWOW64\IIS\services.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:312
        • C:\Windows\SysWOW64\IIS\winlogon.exe
          C:\Windows\system32\IIS\winlogon.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1292

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bt7143.bat
        Filesize

        865B

        MD5

        0e5e2044cc54574d43a7dfc2aa923719

        SHA1

        d45e187d832169cc132e45c839d6e7e98f738313

        SHA256

        d3cfdabfb6a871be5189a2718a70a3886094d65f261cae3ada3c2e986c854bb0

        SHA512

        e50950f8921fa34e12d160b15f3ecbfc5a02bbb2800119cc82571767ac8fe74c0df61199a7809434b85b6b8afcf0458c841cdd6fcc4fb17bd3b449233f3d2b25

        Download Submit

      • C:\Windows\SysWOW64\IIS\ircnz.dll
        Filesize

        30KB

        MD5

        62456b6cbdb93b6f1458469d90c57e2c

        SHA1

        aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

        SHA256

        445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

        SHA512

        29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

        Download Submit

      • C:\Windows\SysWOW64\IIS\ircnz.dll
        Filesize

        30KB

        MD5

        62456b6cbdb93b6f1458469d90c57e2c

        SHA1

        aee316ef1f6e14e839dd3ce4ef6e4dcd0dacc4c9

        SHA256

        445d74478a92117eb400ea0c41e8a90f91e44401b1b28536cd5bb8087572ed3f

        SHA512

        29331e7da090c9824d67db0a7c62099f3ca97e927d7ffda51237d785dadaf6c21875e98c6e404bb1f9a91382857fcd3ca57c504dc5fb5e5f6f9019cf3fcc732f

        Download Submit

      • C:\Windows\SysWOW64\IIS\mirc.REG
        Filesize

        151B

        MD5

        9a1c20549988cd4e3ce73449b8d4bbd9

        SHA1

        d9c7f5d506cd06d957b84a9d3a2342195f727fd8

        SHA256

        4d41b734b123ed45dbfd512ac2bed042da04b7b8fc621acd899f55c6707fbc5b

        SHA512

        8b1640079f72bf83d91fa2e73c781ace84eef2b30cab3feb8a98d5c12dd5d1df888d05d6574c0707454d633b92afd6e1378996775b3ed213f30895a0af38732c

        Download Submit

      • C:\Windows\SysWOW64\IIS\services.exe
        Filesize

        52KB

        MD5

        6b95926f1c12fb3e6605844e91855be8

        SHA1

        589b1d027bf59553cabc948d8f81e19e2347c958

        SHA256

        0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

        SHA512

        31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

        Download Submit

      • C:\Windows\SysWOW64\IIS\services.exe
        Filesize

        52KB

        MD5

        6b95926f1c12fb3e6605844e91855be8

        SHA1

        589b1d027bf59553cabc948d8f81e19e2347c958

        SHA256

        0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

        SHA512

        31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

        Download Submit

      • C:\Windows\SysWOW64\IIS\services.exe
        Filesize

        52KB

        MD5

        6b95926f1c12fb3e6605844e91855be8

        SHA1

        589b1d027bf59553cabc948d8f81e19e2347c958

        SHA256

        0aba71a76ce9eaf3a482f38f9de3e04b7eed981347044e24e62be42229f9f5ca

        SHA512

        31d96e9b567825a64976f1d1c6f1fde64b49ff7cd5f7db28cb6af656ad75530fda5fa0483b9a35e9a8a4fe2de5b1e28acf3c2143d36ea9862b2d729fdc90902a

        Download Submit

      • C:\Windows\SysWOW64\IIS\services.ini
        Filesize

        265B

        MD5

        550a5099acb0db1d245a94ace5c2631b

        SHA1

        64e71e7c91be45fc59ac283ec927c5db276a5ed5

        SHA256

        66bd2edab998aed343d65bc9684729d4052c00b056e22724c7bf32f515c477f8

        SHA512

        109e6db59f0cf702ef773e300bce071e8af5a2cfc026fcb1b5c8f425b79575251983896221bb95ffbcf44912bea09c303f77c177d1ce7a4a69d8d9bc132aa800

        Download Submit

      • C:\Windows\SysWOW64\IIS\setup2.exe
        Filesize

        115KB

        MD5

        f959a6c0e577dec0a8cd617d3b5a254b

        SHA1

        b1e8f45371709218dbfb1711a11337ca8243222e

        SHA256

        78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

        SHA512

        abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

        Download Submit

      • C:\Windows\SysWOW64\IIS\setup2.exe
        Filesize

        115KB

        MD5

        f959a6c0e577dec0a8cd617d3b5a254b

        SHA1

        b1e8f45371709218dbfb1711a11337ca8243222e

        SHA256

        78616d84429ffd836622e2a390d9390fdb9a21ff6f669685398f88f27a2a212f

        SHA512

        abcda5460683d492d274faa4cdfb25a788f464a0a899c3ad66fcf775a08dad0a8e86654f1ab867aaee09ea4f813d0da102c728b78d03996a30c1f120f5f26d35

        Download Submit

      • C:\Windows\SysWOW64\IIS\sxeCCCA.tmp
        Filesize

        15KB

        MD5

        bd815b61f9948f93aface4033fbb4423

        SHA1

        b5391484009b39053fc8b1bba63d444969bafcfa

        SHA256

        b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

        SHA512

        a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

        Download Submit

      • C:\Windows\SysWOW64\IIS\sxeCCCA.tmp
        Filesize

        15KB

        MD5

        bd815b61f9948f93aface4033fbb4423

        SHA1

        b5391484009b39053fc8b1bba63d444969bafcfa

        SHA256

        b018bf9e9f8b6d945e6a2a25984970634884afabc580af2b4e855730520d5d76

        SHA512

        a363abe97b5a44e5d36af859e8d484daffe1d8e321c87969a75d1bfaa4288a5e6be1922a02c6d72937c84e81a79a1c7f6c9f2a44a995cac3f993ed5608afcd71

        Download Submit

      • C:\Windows\SysWOW64\IIS\sxeCCDC.tmp
        Filesize

        146KB

        MD5

        810f556084a89f6a1253094cbd568338

        SHA1

        385ff65ec8c5f07d84961b5ea588b128fa5d09f2

        SHA256

        e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

        SHA512

        fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

        Download Submit

      • C:\Windows\SysWOW64\IIS\sxeCCDC.tmp
        Filesize

        146KB

        MD5

        810f556084a89f6a1253094cbd568338

        SHA1

        385ff65ec8c5f07d84961b5ea588b128fa5d09f2

        SHA256

        e619487112ad29ba127ab34e188520dab9ecf3c5550c7e302ac69f949f9cf2a6

        SHA512

        fb2738d24c33b0f1ad09ef4bb7fb207a37f6faef3f19bfd6a32a0331b7f9952046f8f86fb09e13554c3a05e833b270337e6cee88ef2e5230c1f11b2e6a5eb034

        Download Submit

      • C:\Windows\SysWOW64\IIS\winlogon.exe
        Filesize

        787KB

        MD5

        5915c4cd8b6ba516d95d595fd6a477ed

        SHA1

        bbf95ea32259124703cfcac9f17d24b0d8bf4943

        SHA256

        b9a1a05cfe13a1f75075ac12c3e11305c2d3a691e3ce2fb8c1d66293c091ebb7

        SHA512

        72ef903d73729db32f4b09a49a819272445587caa6706dfc525de7d025afa9f194f58bcf9d64ce97c39e6ceb1f64588e43b09cdcab428d20d9b1164b5bc640f6

        Download Submit

      • C:\Windows\SysWOW64\IIS\winlogon.exe
        Filesize

        787KB

        MD5

        5915c4cd8b6ba516d95d595fd6a477ed

        SHA1

        bbf95ea32259124703cfcac9f17d24b0d8bf4943

        SHA256

        b9a1a05cfe13a1f75075ac12c3e11305c2d3a691e3ce2fb8c1d66293c091ebb7

        SHA512

        72ef903d73729db32f4b09a49a819272445587caa6706dfc525de7d025afa9f194f58bcf9d64ce97c39e6ceb1f64588e43b09cdcab428d20d9b1164b5bc640f6

        Download Submit

      • \??\c:\windows\SysWOW64\iis\aliases.ini
        Filesize

        287B

        MD5

        b691acab8c3643492a33e35af20134d5

        SHA1

        db139c2a11e53e05ba5293d5271dd60f067a0007

        SHA256

        59761478b0be782c96230e908ed5e8bc24ad07395228adf6948c970d7aec7f8c

        SHA512

        936ab03d6a08d4ab4967c9f8915852c5afa494ab9395d953c3c44296f87376ee931a80935018b3b5b2f483e8beccd21fcddec11662c5595efc94dcddc1268c3d

        Download Submit

      • \??\c:\windows\SysWOW64\iis\ir.cn
        Filesize

        3KB

        MD5

        bd5acf6efa11feff9a5fc225bebccae3

        SHA1

        5d8c260c899ecf4f95e03c76a55c94f5dce641ab

        SHA256

        8043ef54dbaa907305828a955d549b296451ff3273326c562ffbc9e64048cf4e

        SHA512

        71049d88a3bab12f1e4f60223125cddbefdcdcf1c5a83eec43494ec1d2edd8874558c51b915b664022987a2f7b61c64b795ab40454c81f63a8644dfdc537e54a

        Download Submit

      • \??\c:\windows\SysWOW64\iis\ir2.cn
        Filesize

        2KB

        MD5

        4d40dc873bf857152baa4c8615634a31

        SHA1

        fbdd4e2e9a0be5be4a04e37eddf9c17621422a2f

        SHA256

        64dbee02e44371998bd921a405110748c6c75b3db27e804bfc716de232c5586c

        SHA512

        3e27c936a20f29d28ef5ea1726f5b0fdbd14343f36af2c0f8f2ba5dfba6f96b89eb8970d8eac4aa8a8d8bc186eab47718ad4028e8ed2d0a47ff8fb66b315c099

        Download Submit

      • \??\c:\windows\SysWOW64\iis\mirc.ini
        Filesize

        4KB

        MD5

        8ac2dc2027ed52dcf3ba315e9c7df796

        SHA1

        08fd82d8a3181ac11a8b9f22de435379c73f8de0

        SHA256

        57964724d4329c8333c4525ed7697888b8caf6c7918ec1fa512f589112bdf2d5

        SHA512

        503cfd79516c6731bbf58e9e779bc8c8bb8fadea68936edb4cbdcdfc600d099708194478aa3920f5063aa0f50022da02bec9c6c526429ef845e98816a16b22b0

        Download Submit

      • \??\c:\windows\SysWOW64\iis\servers.ini
        Filesize

        31B

        MD5

        58f69ecb9ff5793d8960bf6f83a82022

        SHA1

        a3649e4abe2ad664791b3a6469467c5af12cf4cd

        SHA256

        f0b5aafeac67907833c8222cbf6564ca3d57f20ed8c3b60dd2ed550dc6c87677

        SHA512

        e1dc48210f6c69d642a142f8b6c8cda85efc073f9e4a45cdc7f92d6d823602ba352409cd20bf74fcc6192226a7f511de2dded918807fbe78d3926e928236064f

        Download Submit

      • \??\c:\windows\SysWOW64\iis\vars.ini
        Filesize

        571B

        MD5

        463cbe8a32e88e61ca622edd61302441

        SHA1

        b2d3dfbcf4f505990fd4f05639d21ad4c5a32024

        SHA256

        ebd32663b4639f0a17dee14f77f83334dc6d3c58c0324765c5bab3def2dd1b57

        SHA512

        33ce9537737b75fac8b10e48ff2a4c8435ae103f0c36fc81c893e08162c06a3a5e29d32e1d686ad5d3795c3714b194c0f044e89632358351c4327eb5a6ef7d61

        Download Submit

      • memory/212-138-0x0000000000000000-mapping.dmp

        Download

      • memory/1292-152-0x0000000000000000-mapping.dmp

        Download

      • memory/1292-163-0x0000000000400000-0x00000000005CE000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1292-168-0x0000000000400000-0x00000000005CE000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1428-137-0x00000000005F1000-0x00000000005F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1428-148-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1428-132-0x0000000000000000-mapping.dmp

        Download

      • memory/1588-141-0x0000000000000000-mapping.dmp

        Download

      • memory/1948-147-0x0000000000000000-mapping.dmp

        Download

      • memory/3436-164-0x0000000000000000-mapping.dmp

        Download

      • memory/3984-167-0x0000000000000000-mapping.dmp

        Download

      • memory/4348-150-0x0000000000000000-mapping.dmp

        Download

      • memory/4772-166-0x0000000000000000-mapping.dmp

        Download

      • memory/4864-143-0x0000000000000000-mapping.dmp

        Download

      • memory/4888-149-0x0000000000000000-mapping.dmp

        Download