1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d

General

Target

1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe
Size

451KB
MD5

618e909d5bd786d5ba2b4b727a4bc11e
SHA1

190a548f0f61f2cb83561983b4dd58969539f195
SHA256

1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d
SHA512

df09820a976c7c4cfd8fc6697b795a57f16a4eef55e92383e6dbb565b27cbc7e53eff07c6b2f18f9a26cee320f89142d70e77e3a40b07d6735d9c3e8aa9d9a05
SSDEEP

12288:XMaaim0YtKuT6cDjdGOBu7DOhjKxe8p9ImiS7eiou:XMaaim0GTREWXhGxe8rnl1d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2332	FPlayer.exe
3492	fldingdang.exe
1404	gamedmon.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022def-136.dat	upx
behavioral2/files/0x0003000000022def-137.dat	upx
behavioral2/memory/3492-138-0x00000000007C0000-0x0000000000846000-memory.dmp	upx
behavioral2/memory/3492-143-0x00000000007C0000-0x0000000000846000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fldingdang.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	fldingdang.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	fldingdang.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3492	fldingdang.exe
3492	fldingdang.exe
1404	gamedmon.exe
1404	gamedmon.exe
1404	gamedmon.exe
1404	gamedmon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	fldingdang.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2332	FPlayer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2332	FPlayer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 2332	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	82
PID 3704 wrote to memory of 2332	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	82
PID 3704 wrote to memory of 2332	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	82
PID 3704 wrote to memory of 3492	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	83
PID 3704 wrote to memory of 3492	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	83
PID 3704 wrote to memory of 3492	3704	1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe	83
PID 3492 wrote to memory of 1404	3492	fldingdang.exe	84
PID 3492 wrote to memory of 1404	3492	fldingdang.exe	84
PID 3492 wrote to memory of 1404	3492	fldingdang.exe	84
PID 3492 wrote to memory of 3684	3492	fldingdang.exe	85
PID 3492 wrote to memory of 3684	3492	fldingdang.exe	85
PID 3492 wrote to memory of 3684	3492	fldingdang.exe	85

C:\Users\Admin\AppData\Local\Temp\1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe
"C:\Users\Admin\AppData\Local\Temp\1463bff11432a70a315b340ef838a105526bad60dc2f273357fa86720d4cec9d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\FPlayer.exe
  "C:\Users\Admin\AppData\Local\Temp\FPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\fldingdang.exe
  "C:\Users\Admin\AppData\Local\Temp\fldingdang.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
    C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FLDING~1.EXE > nul
    3⤵
    PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FPlayer.exe

Filesize
522KB

MD5
f4c9533d17346eb52e3cf04aefee7e0a

SHA1
d225570818df3fd088f859f0954b151b35e070ec

SHA256
d0485749e0b7613f8322c233dda9454897a51e9aee1c22709b4047fdab1eb7f6

SHA512
168cf879f7fc920952019d94766b5223d76b2552a88ac0b2e3680723b5127f2de6a92220aea9a3ef2a357b620182a72aa3682c24437cdccf6b8f532b4cb0ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPlayer.exe

Filesize
522KB

MD5
f4c9533d17346eb52e3cf04aefee7e0a

SHA1
d225570818df3fd088f859f0954b151b35e070ec

SHA256
d0485749e0b7613f8322c233dda9454897a51e9aee1c22709b4047fdab1eb7f6

SHA512
168cf879f7fc920952019d94766b5223d76b2552a88ac0b2e3680723b5127f2de6a92220aea9a3ef2a357b620182a72aa3682c24437cdccf6b8f532b4cb0ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\fldingdang.exe

Filesize
202KB

MD5
40dc195c76362f5d82d24e078ef7bfcb

SHA1
574f0f44759bd73db098cec0b3f88b7e00d00e71

SHA256
e9a304414bcaae4a4cd865fb8bb3da29d7da886cbc3f379d7b7004f0d7b2b8d6

SHA512
b64cee16e70fd68b8031eac9719245bf3f3c43094e34c487c7aba04fcc157ef7c8953a235741fe46ad1bf119a0d154e4a21d28a19ad481d188ea821202c45784

Download Submit
C:\Users\Admin\AppData\Local\Temp\fldingdang.exe

Filesize
202KB

MD5
40dc195c76362f5d82d24e078ef7bfcb

SHA1
574f0f44759bd73db098cec0b3f88b7e00d00e71

SHA256
e9a304414bcaae4a4cd865fb8bb3da29d7da886cbc3f379d7b7004f0d7b2b8d6

SHA512
b64cee16e70fd68b8031eac9719245bf3f3c43094e34c487c7aba04fcc157ef7c8953a235741fe46ad1bf119a0d154e4a21d28a19ad481d188ea821202c45784

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
179KB

MD5
ae86252f7ab91a3e5d10f4374a828c6b

SHA1
5fd8e86973f7ff4892f232a8bc33455a6a20b3d4

SHA256
0e87b8fc7d36c98cad2a5216794279c4d2107f839c37f02552dfac1f3b5b05e1

SHA512
8e04d8f79914d55b0cd182d29c740b17a73b809ced404e2677101ba2fc46f9c0ca289649d2a0f7a3c65bf249b51b8148033e78702cf6f1821f7122517ed1da13

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe

Filesize
179KB

MD5
ae86252f7ab91a3e5d10f4374a828c6b

SHA1
5fd8e86973f7ff4892f232a8bc33455a6a20b3d4

SHA256
0e87b8fc7d36c98cad2a5216794279c4d2107f839c37f02552dfac1f3b5b05e1

SHA512
8e04d8f79914d55b0cd182d29c740b17a73b809ced404e2677101ba2fc46f9c0ca289649d2a0f7a3c65bf249b51b8148033e78702cf6f1821f7122517ed1da13

Download Submit
memory/3492-138-0x00000000007C0000-0x0000000000846000-memory.dmp

Filesize
536KB

Download
memory/3492-143-0x00000000007C0000-0x0000000000846000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing