880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1

Analysis

max time kernel
152s
max time network
140s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
Size

974KB
MD5

e60e92bd14d49e88a8d88158500af069
SHA1

f451a07adab605cc9ff4910532cd08febf12769d
SHA256

880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1
SHA512

a13a1160e2764a76d0d951a593ae9c5627c102eb822538acc62b40afa135d42a6308d4265218190bf3b46362d3e2f357068e26f6f846006e7de909f69c508cf8
SSDEEP

12288:vhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4atDO9vJ/dXL+s8KFJG1GuK:1RmJkcoQricOIQxiZY1iat69lZ+m6wz

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
680	fuko.exe
760	fuko.exe

Deletes itself 1 IoCs

pid	Process
968	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	fuko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5E42621D-7DEE-6D93-BC89-5FBA6BE7BEB1} = "C:\\Users\\Admin\\AppData\\Roaming\\Yrlet\\fuko.exe"	fuko.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000012326-69.dat	autoit_exe
behavioral1/files/0x000a000000012326-67.dat	autoit_exe
behavioral1/files/0x000a000000012326-71.dat	autoit_exe
behavioral1/files/0x000a000000012326-80.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 680 set thread context of 760	680	fuko.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe
760	fuko.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
Token: SeSecurityPrivilege	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
Token: SeSecurityPrivilege	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 940 wrote to memory of 1068	940	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	28
PID 1068 wrote to memory of 680	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	29
PID 1068 wrote to memory of 680	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	29
PID 1068 wrote to memory of 680	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	29
PID 1068 wrote to memory of 680	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	29
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 680 wrote to memory of 760	680	fuko.exe	30
PID 760 wrote to memory of 1216	760	fuko.exe	18
PID 760 wrote to memory of 1216	760	fuko.exe	18
PID 760 wrote to memory of 1216	760	fuko.exe	18
PID 760 wrote to memory of 1216	760	fuko.exe	18
PID 760 wrote to memory of 1216	760	fuko.exe	18
PID 760 wrote to memory of 1304	760	fuko.exe	17
PID 760 wrote to memory of 1304	760	fuko.exe	17
PID 760 wrote to memory of 1304	760	fuko.exe	17
PID 760 wrote to memory of 1304	760	fuko.exe	17
PID 760 wrote to memory of 1304	760	fuko.exe	17
PID 760 wrote to memory of 1376	760	fuko.exe	16
PID 760 wrote to memory of 1376	760	fuko.exe	16
PID 760 wrote to memory of 1376	760	fuko.exe	16
PID 760 wrote to memory of 1376	760	fuko.exe	16
PID 760 wrote to memory of 1376	760	fuko.exe	16
PID 760 wrote to memory of 1068	760	fuko.exe	28
PID 760 wrote to memory of 1068	760	fuko.exe	28
PID 760 wrote to memory of 1068	760	fuko.exe	28
PID 760 wrote to memory of 1068	760	fuko.exe	28
PID 760 wrote to memory of 1068	760	fuko.exe	28
PID 1068 wrote to memory of 968	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	31
PID 1068 wrote to memory of 968	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	31
PID 1068 wrote to memory of 968	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	31
PID 1068 wrote to memory of 968	1068	880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe	31
PID 760 wrote to memory of 968	760	fuko.exe	31
PID 760 wrote to memory of 968	760	fuko.exe	31
PID 760 wrote to memory of 1688	760	fuko.exe	33
PID 760 wrote to memory of 1688	760	fuko.exe	33
PID 760 wrote to memory of 1688	760	fuko.exe	33
PID 760 wrote to memory of 1688	760	fuko.exe	33
PID 760 wrote to memory of 1688	760	fuko.exe	33
PID 760 wrote to memory of 328	760	fuko.exe	34
PID 760 wrote to memory of 328	760	fuko.exe	34
PID 760 wrote to memory of 328	760	fuko.exe	34
PID 760 wrote to memory of 328	760	fuko.exe	34
PID 760 wrote to memory of 328	760	fuko.exe	34
PID 760 wrote to memory of 2040	760	fuko.exe	35
PID 760 wrote to memory of 2040	760	fuko.exe	35
PID 760 wrote to memory of 2040	760	fuko.exe	35
PID 760 wrote to memory of 2040	760	fuko.exe	35
PID 760 wrote to memory of 2040	760	fuko.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
  "C:\Users\Admin\AppData\Local\Temp\880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe
    "C:\Users\Admin\AppData\Local\Temp\880339c97ae7f35a39960bf9dc56b6ad7f38b8cfc9ea30a258656925f3908bf1.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe
      "C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe
        
        "C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2b3fe86c.bat"
      4⤵
      Deletes itself
      PID:968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2b3fe86c.bat

Filesize
307B

MD5
90abb76f3a17f3296b30cd1b35d06fea

SHA1
7e52c7b2d772378f03a54fbc72650e37d7674ea3

SHA256
e29dce31aeb8960034cef4ee3c55892e4588221e1658d16848b6bfed3757a951

SHA512
2a863b9613ce04d7c4152c352d048175033726ed3c9d9ef201ece4eaeb8cf1dbbdf91fc1b40556a4358193ee237fc75e406c3a2d7af332544d8acda82d6deceb

Download Submit
C:\Users\Admin\AppData\Roaming\Owmyu\idefi.wum

Filesize
398B

MD5
7af35a184c0be60760da5919ea888b54

SHA1
7e553008296e77309a20884482373c1a6439d034

SHA256
18f3cfb4c4bd3c7a34bdc7149973f1ef98b1829670f2f8dec9644841a138257d

SHA512
3966c08ec41af895fcb5f36ca77e2a88bab6236403724ee5e8a6b133a90ec12822229b4770ae7e2db2f51d7ffa7def1ae8c0196452bf03fd7cc095be33165ecf

Download Submit
C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe

Filesize
974KB

MD5
7760ee04a2a47a4df923ae7e66f54cd0

SHA1
4b9a0ffdab57532152c7ab9fba3efc204dc79452

SHA256
ff261e40f5a991e2e973c2219a22f9110fff2aca57a40c299bc5ff125ee00de2

SHA512
67ba13dd8732f73344a4494cc2e24c299f8c424f8de2835169fa5bdec6c2b3204ca27f05b3575d15a5202bc14de535c34228500f36a4f9d11aee9568bab5a528

Download Submit
C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe

Filesize
974KB

MD5
7760ee04a2a47a4df923ae7e66f54cd0

SHA1
4b9a0ffdab57532152c7ab9fba3efc204dc79452

SHA256
ff261e40f5a991e2e973c2219a22f9110fff2aca57a40c299bc5ff125ee00de2

SHA512
67ba13dd8732f73344a4494cc2e24c299f8c424f8de2835169fa5bdec6c2b3204ca27f05b3575d15a5202bc14de535c34228500f36a4f9d11aee9568bab5a528

Download Submit
C:\Users\Admin\AppData\Roaming\Yrlet\fuko.exe

Filesize
974KB

MD5
7760ee04a2a47a4df923ae7e66f54cd0

SHA1
4b9a0ffdab57532152c7ab9fba3efc204dc79452

SHA256
ff261e40f5a991e2e973c2219a22f9110fff2aca57a40c299bc5ff125ee00de2

SHA512
67ba13dd8732f73344a4494cc2e24c299f8c424f8de2835169fa5bdec6c2b3204ca27f05b3575d15a5202bc14de535c34228500f36a4f9d11aee9568bab5a528

Download Submit
\Users\Admin\AppData\Roaming\Yrlet\fuko.exe

Filesize
974KB

MD5
7760ee04a2a47a4df923ae7e66f54cd0

SHA1
4b9a0ffdab57532152c7ab9fba3efc204dc79452

SHA256
ff261e40f5a991e2e973c2219a22f9110fff2aca57a40c299bc5ff125ee00de2

SHA512
67ba13dd8732f73344a4494cc2e24c299f8c424f8de2835169fa5bdec6c2b3204ca27f05b3575d15a5202bc14de535c34228500f36a4f9d11aee9568bab5a528

Download Submit
memory/328-127-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/328-126-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/328-128-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/328-129-0x0000000003B50000-0x0000000003B77000-memory.dmp

Filesize
156KB

Download
memory/680-68-0x0000000000000000-mapping.dmp

Download
memory/760-117-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/760-107-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/760-79-0x0000000000413048-mapping.dmp

Download
memory/940-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/968-115-0x00000000000F0000-0x0000000000117000-memory.dmp

Filesize
156KB

Download
memory/968-109-0x0000000000000000-mapping.dmp

Download
memory/1068-111-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1068-62-0x0000000000413048-mapping.dmp

Download
memory/1068-103-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1068-104-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1068-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-105-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1068-110-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1068-106-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1068-108-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1216-85-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-87-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-88-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1216-86-0x0000000001D20000-0x0000000001D47000-memory.dmp

Filesize
156KB

Download
memory/1304-91-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-94-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-93-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1304-92-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1376-98-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1376-100-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1376-99-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1376-97-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1688-121-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1688-122-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1688-123-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1688-120-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2040-132-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/2040-134-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/2040-133-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download