f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97

General

Target

f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
Size

242KB
MD5

fab2d88012d051aeea33412cef4268d1
SHA1

5bf033fffbdc7ecaee45bde287e2590e5eb2babe
SHA256

f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97
SHA512

9c525b59e3f16c7d826dfd650da92b805019e03b23781ff9b9a2870b5893413bdfba23d8fc6bc0f2547d8b2b10e9f3b44ffdc1ae7060bf636bf42d0364fdbdf9
SSDEEP

6144:LZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876ne4WLIM1xpYf3NuindBAUOo3UrT:NXmwRo+mv8QD4+0N460IM1xpYUi3BUH

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	4936	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FastSocks\Slowbag\Uninstall.ini	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\bat2.bat	cmd.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\islamabad.vbs	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\straho.bat	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\2.txt	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\1.txt	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\ebala.vbs	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
File opened for modification	C:\Program Files (x86)\FastSocks\Slowbag\Uninstall.exe	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 2132	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	81
PID 3208 wrote to memory of 2132	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	81
PID 3208 wrote to memory of 2132	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	81
PID 3208 wrote to memory of 4936	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	84
PID 3208 wrote to memory of 4936	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	84
PID 3208 wrote to memory of 4936	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	84
PID 3208 wrote to memory of 5116	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	85
PID 3208 wrote to memory of 5116	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	85
PID 3208 wrote to memory of 5116	3208	f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe	85
PID 5116 wrote to memory of 4928	5116	cmd.exe	87
PID 5116 wrote to memory of 4928	5116	cmd.exe	87
PID 5116 wrote to memory of 4928	5116	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe
"C:\Users\Admin\AppData\Local\Temp\f4df251d09797a1b69c327573b05ee9512dfb761ed11917c0939da7280291e97.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\FastSocks\Slowbag\straho.bat" "
  2⤵
  - Drops file in Drivers directory
  - Drops file in Program Files directory
  PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\FastSocks\Slowbag\islamabad.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\FastSocks\Slowbag\bat2.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FastSocks\Slowbag\1.txt

Filesize
15B

MD5
777a854df0adcffec036bcdcc45e9723

SHA1
8a2d50a0dc9eb61db557ffcd0cc0911ad6de61e6

SHA256
b3d92955161be5003e0e16404acdeed4fd5bef7af44b5063750e75f0fdc593c7

SHA512
a23cb933beb1ba4f34304ec283b7004213c93af4a9ee41181bc11e5faf5273eb3122840c2c8629f65f301e9128e3a2c43d0fcc2fdbbd4ab1801e990503c9f747

Download Submit
C:\Program Files (x86)\FastSocks\Slowbag\2.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\FastSocks\Slowbag\bat2.bat

Filesize
50B

MD5
52b526cef903783926b990c87b45249c

SHA1
7ab119739819043cdc3aede0bf859f321f3fbf79

SHA256
76abbf045426ecd5254475cd128ef24a321addd949144ced50287ff82d818c68

SHA512
76c20e128943c322e50727ed680b67ba1b92eac6ddb2361bdee100bcebbb2aa287056ddfd19edd5c672b1687604264a894de163d99c0581524b44466ea9f4cc4

Download Submit
C:\Program Files (x86)\FastSocks\Slowbag\islamabad.vbs

Filesize
234B

MD5
12d92420f6b28793d422773219ec1d59

SHA1
42255f80fd3a105d9c7f98044b23becba6a8c95c

SHA256
dccf019a4168a91ed9b7ed78d2c3cf3c6348d66ae32478618d0aec062051a662

SHA512
c49d51114930c7d10b55d84e8b6a22b78001e152ec5d12e25492edf344c9c98995542ae1b20c131cb18f27e3a43e9ac433451e96c765f07b99c9b78fb201ab55

Download Submit
C:\Program Files (x86)\FastSocks\Slowbag\straho.bat

Filesize
1KB

MD5
dd9cc75d259ead7c2cfc0dddccb89fd4

SHA1
a134fee11d3b6bdf7d78f9fe4b3b656d6913b967

SHA256
d4ca87cb0c1473d50a98f843364abaab708e784a99624d9f1189c58090bed112

SHA512
378ea8e560bbabd4fd6c519970f2bece862eb83d11bde27eba812d0cb7564284f13e846e1b97a26e173d8d1ee220e6fa351b4eb988889f00e56bb0ca09e33983

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads