Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
Resource
win10v2004-20220812-en
General
-
Target
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe
-
Size
311KB
-
MD5
3acae02fcb29940d3473010c8a2a9cbd
-
SHA1
c843ad5ff8b01eafe64ecad030beb24fd336a8dc
-
SHA256
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c
-
SHA512
212ac5b1cedc571541e18a8a67f02309612a7e242a08fe66a0e549ca616d1bf885658f8342d23e6e9f5b9200a4eb6f43e63d3fe86198c59f3e250dad9adae6d7
-
SSDEEP
6144:OUfoCVoAqF5gxYLQPfcwSVyqFoSZYV/2Jzid+mzk7A1j:OYnKF5gcQHLioSWc7m
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4736-136-0x0000000000400000-0x0000000000442000-memory.dmp family_blackmoon behavioral2/memory/4736-140-0x0000000000400000-0x0000000000442000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
Fobeka.exepid process 4736 Fobeka.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeFobeka.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe" fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fobeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\WINDOWS\\srchasstsss\\Fobeka.exe" Fobeka.exe -
Drops file in Windows directory 5 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exedescription ioc process File created C:\WINDOWS\srchasstsss\Fobeka.bat fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe File created C:\WINDOWS\srchasstsss\Fobeka.vbs fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe File opened for modification C:\WINDOWS\IE.txt fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe File created C:\WINDOWS\srchasstsss\V3like.vbs fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe File created C:\WINDOWS\srchasstsss\Fobeka.exe fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05f6d2e5801d901 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8045bf2d5801d901 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000346c454115efb24d973b096f263f00e100000000020000000000106600000001000020000000bf4a01e9411ab45c2cc95fe85093b8abf389a365edd7038976c9416d639684ab000000000e8000000002000020000000d898d013ed2aecbfc30a26422b4d4fde8e866aa9686446806253af5ca4b589aa2000000048cf1dba6fc687baaa6831a02dd7b1eb37755045aa4491d94c5a6bebd676a56140000000b1d5ae55a4a481cf72ec8ba8beda97aafc190a92c9959df6c71e7743eb7c6672412c64af4320be471573daa3e06c4da0b7cbaf8fa46b13bd334ed1bf95da3d5d IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{464C8891-6D4B-11ED-89AC-D2371B4A40BE} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000346c454115efb24d973b096f263f00e1000000000200000000001066000000010000200000002106c39d20e9b821a9f095cef5100d05be4a11508417c1b8ecbebe9faf0d5ad9000000000e80000000020000200000005614e94ad0164b2c9909862666b0030a3747a75d2959da1a90d04388f89d78ea200000001b8b48c2365805f118435829d70a5827dacc8568ccd2406b5c477f7b4190258640000000d634f84d847f3d84dca01a6fc5bcec4ca6ecac5f2d8b4f2461650dd5ea7c145f4087e5fb22eceb95a11af87c24cb140619bf07ce432730c076328e4a16e63d4b IEXPLORE.EXE -
Modifies registry class 1 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exepid process 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 4148 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeIEXPLORE.EXEIEXPLORE.EXEpid process 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe 4148 IEXPLORE.EXE 4148 IEXPLORE.EXE 3920 IEXPLORE.EXE 3920 IEXPLORE.EXE 3920 IEXPLORE.EXE 3920 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exeIEXPLORE.EXEdescription pid process target process PID 4844 wrote to memory of 4736 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe Fobeka.exe PID 4844 wrote to memory of 4736 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe Fobeka.exe PID 4844 wrote to memory of 4736 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe Fobeka.exe PID 4844 wrote to memory of 4180 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe WScript.exe PID 4844 wrote to memory of 4180 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe WScript.exe PID 4844 wrote to memory of 4180 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe WScript.exe PID 4844 wrote to memory of 4148 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe IEXPLORE.EXE PID 4844 wrote to memory of 4148 4844 fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe IEXPLORE.EXE PID 4148 wrote to memory of 3920 4148 IEXPLORE.EXE IEXPLORE.EXE PID 4148 wrote to memory of 3920 4148 IEXPLORE.EXE IEXPLORE.EXE PID 4148 wrote to memory of 3920 4148 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe"C:\Users\Admin\AppData\Local\Temp\fce97ef8ab70e808ba2b2817c382d657a4e0923704c1cad2bb023379220bca6c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\WINDOWS\srchasstsss\Fobeka.exeC:\WINDOWS\srchasstsss\Fobeka.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4736 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WINDOWS\srchasstsss\V3like.vbs"2⤵PID:4180
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" www.naver.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4148 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\srchasstsss\Fobeka.exeFilesize
86KB
MD516a11eee5b66798df236ba4f066ba795
SHA1eaae9ae757f995df5f3f09dc2902c80d874edd03
SHA2568bed8f6d002dd96535d13e6c8ed65694fab7a7a8f61af8a146e0ab4a38e99dfc
SHA512a52f68e750e8e3a844f53960598a8de0754bbd914b602479f3be412e7f19c51aa50020333386ec812f15749b098572672130742e9395c07d941ebeaf84ff0771
-
C:\WINDOWS\srchasstsss\V3like.vbsFilesize
86B
MD55e480601cc42498b764ba33a10766cbd
SHA1d306d8dfe2ff756996bd61d43106210cc42eeba8
SHA256b4d1791c17f6a9ccd5c45313b9993827e4e87ef3a68aa227c55589208ae04ffd
SHA512295b5e21392c5af0f17e895f59dff4de894d37f25c6f8aa1dfe85cbfc19c177682a3d2a6be80a83cf6b737a7b196a5184ce9e24c67ae33dbda766f8bc81e216a
-
C:\Windows\srchasstsss\Fobeka.exeFilesize
86KB
MD516a11eee5b66798df236ba4f066ba795
SHA1eaae9ae757f995df5f3f09dc2902c80d874edd03
SHA2568bed8f6d002dd96535d13e6c8ed65694fab7a7a8f61af8a146e0ab4a38e99dfc
SHA512a52f68e750e8e3a844f53960598a8de0754bbd914b602479f3be412e7f19c51aa50020333386ec812f15749b098572672130742e9395c07d941ebeaf84ff0771
-
memory/4180-137-0x0000000000000000-mapping.dmp
-
memory/4736-132-0x0000000000000000-mapping.dmp
-
memory/4736-136-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4736-140-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4844-135-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/4844-139-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB