d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24

General

Target

d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe
Size

666KB
MD5

85c94e53d9907709e95cbfae70aafba8
SHA1

77f758aeab862c7de7cd20c6f8897c7c3d5e7b3d
SHA256

d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24
SHA512

bb259d2d99aca5975ed21e8ebe4e75bf702bd62b0e6d5f9539f9276000f1005e47e870108b53113b1cc2b82ec04d59d6a2bd29b5ebd3e966439351d0bed229da
SSDEEP

12288:nsaY8rxqXqavGpFCFkguX9M6Pqh11JDf19mP+YWKzAWwKztPF+3TsyZ/PJTbpGrW:B/rxiY8kguXrPqVJDf1UP+WzEKztPY3J

Score

8^/10

aspackv2 discovery upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	aspack_v212_v242
C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	aspack_v212_v242

Executes dropped EXE 4 IoCs

Processes:

FPlayer.exefldingdang.exeÆô¶¯.exegamedmon.exe

pid process

2108 FPlayer.exe
1536 fldingdang.exe
4504 Æô¶¯.exe
3624 gamedmon.exe

pid	process
2108	FPlayer.exe
1536	fldingdang.exe
4504	Æô¶¯.exe
3624	gamedmon.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4688-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe	upx
behavioral2/memory/4688-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe	upx
behavioral2/memory/1536-140-0x0000000000380000-0x0000000000437000-memory.dmp	upx
behavioral2/memory/1536-155-0x0000000000380000-0x0000000000437000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exefldingdang.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fldingdang.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

fldingdang.exeÆô¶¯.exe

description	ioc	process
File created	C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe	fldingdang.exe
File created	C:\Program Files (x86)\Æô¶¯\Uninstall.exe	fldingdang.exe
File opened for modification	C:\Program Files (x86)\Æô¶¯\s_svost.ini	Æô¶¯.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fldingdang.exegamedmon.exe

pid process

1536 fldingdang.exe
1536 fldingdang.exe
3624 gamedmon.exe
3624 gamedmon.exe
3624 gamedmon.exe
3624 gamedmon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fldingdang.exe

description pid process

Token: SeIncBasePriorityPrivilege 1536 fldingdang.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

FPlayer.exe

pid process

2108 FPlayer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

FPlayer.exe

pid process

2108 FPlayer.exe

pid	process
1536	fldingdang.exe
1536	fldingdang.exe
3624	gamedmon.exe
3624	gamedmon.exe
3624	gamedmon.exe
3624	gamedmon.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1536	fldingdang.exe

pid	process
2108	FPlayer.exe

pid	process
2108	FPlayer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exefldingdang.exe

description	pid	process	target process
PID 4688 wrote to memory of 2108	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	FPlayer.exe
PID 4688 wrote to memory of 2108	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	FPlayer.exe
PID 4688 wrote to memory of 2108	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	FPlayer.exe
PID 4688 wrote to memory of 1536	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	fldingdang.exe
PID 4688 wrote to memory of 1536	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	fldingdang.exe
PID 4688 wrote to memory of 1536	4688	d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe	fldingdang.exe
PID 1536 wrote to memory of 4504	1536	fldingdang.exe	Æô¶¯.exe
PID 1536 wrote to memory of 4504	1536	fldingdang.exe	Æô¶¯.exe
PID 1536 wrote to memory of 4504	1536	fldingdang.exe	Æô¶¯.exe
PID 1536 wrote to memory of 3624	1536	fldingdang.exe	gamedmon.exe
PID 1536 wrote to memory of 3624	1536	fldingdang.exe	gamedmon.exe
PID 1536 wrote to memory of 3624	1536	fldingdang.exe	gamedmon.exe
PID 1536 wrote to memory of 1416	1536	fldingdang.exe	cmd.exe
PID 1536 wrote to memory of 1416	1536	fldingdang.exe	cmd.exe
PID 1536 wrote to memory of 1416	1536	fldingdang.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe
"C:\Users\Admin\AppData\Local\Temp\d7f1a4d46a327b0e699cc6c63c33dfd470d7c7bd702ae34adb1c1ccc04a81e24.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\Temp\FPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\FPlayer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108

C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe
"C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4504

C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe -startgame
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Temp\FLDING~1.EXE > nul
3⤵
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe
Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Program Files (x86)\Æô¶¯\Æô¶¯.exe
Filesize
207KB

MD5
d05bab4eed7e0f4659a18d589613893c

SHA1
2495403145df0b13cbb18d5f7cbe7c4e2799783a

SHA256
30263fc7eb2879ce63b36176701a4799dc5cec2d32fa5b661f6f835258b65881

SHA512
2f7479bfc72d0e0da46d77d1a64649d1c3672352cc78d517025f57fd39c522c8dc07b30008b1b72c260a767b67e628f655fce5c7b17c5fad18ec961321c5a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\FPlayer.exe
Filesize
518KB

MD5
3a8d575e7cc1ea941c3a0d6694cd3973

SHA1
02b3230726255da27f118ad94871c755606ee8af

SHA256
fc4c433f2456ec6f738a18766ff384e92838c07836f1e35acdbf5d0221121dd6

SHA512
d9421d36138300234a8dfb9cb5dc472b483f4d91489332b44f75d334dce35e65c32f4684a0ff7d473444933a1d0105b44aded44d68203fb2a8dd2e657b2a42aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\FPlayer.exe
Filesize
518KB

MD5
3a8d575e7cc1ea941c3a0d6694cd3973

SHA1
02b3230726255da27f118ad94871c755606ee8af

SHA256
fc4c433f2456ec6f738a18766ff384e92838c07836f1e35acdbf5d0221121dd6

SHA512
d9421d36138300234a8dfb9cb5dc472b483f4d91489332b44f75d334dce35e65c32f4684a0ff7d473444933a1d0105b44aded44d68203fb2a8dd2e657b2a42aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe
Filesize
370KB

MD5
555eb1258a03101431ee0aa12601c0fa

SHA1
f9f45d55119166b3feff8e558aabef7b995f823f

SHA256
11f83f25ced1d98a7e4a6841f249ac34b7a4eda48dcd57a727ef2f8afd75c1e4

SHA512
ef438dcb8c5df7eacb4421e518de58e6ce9b44812a3d71261ef6a2d8b091db2cfffdcb4dd46a0663be3bb83ac2c9cf3864abaa079d1b80644f35025f4f875471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\fldingdang.exe
Filesize
370KB

MD5
555eb1258a03101431ee0aa12601c0fa

SHA1
f9f45d55119166b3feff8e558aabef7b995f823f

SHA256
11f83f25ced1d98a7e4a6841f249ac34b7a4eda48dcd57a727ef2f8afd75c1e4

SHA512
ef438dcb8c5df7eacb4421e518de58e6ce9b44812a3d71261ef6a2d8b091db2cfffdcb4dd46a0663be3bb83ac2c9cf3864abaa079d1b80644f35025f4f875471

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
Filesize
172KB

MD5
3e1a414085f1af732476f6baf117f257

SHA1
a777d108a240feb8377b86ae82524e632d7108df

SHA256
ded9df35656f0270631aa5b5e4a0ac51d39cb9e47b1b90000030630fc6063084

SHA512
7f7ab919dd1bde913bee0df09677c360a17f619a7b69456b29d77d27a893b8147a60e84456c8d04688ff6ee6a0cafafda528b2523c3041cb32001f02b97f0ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gamedmon.exe
Filesize
172KB

MD5
3e1a414085f1af732476f6baf117f257

SHA1
a777d108a240feb8377b86ae82524e632d7108df

SHA256
ded9df35656f0270631aa5b5e4a0ac51d39cb9e47b1b90000030630fc6063084

SHA512
7f7ab919dd1bde913bee0df09677c360a17f619a7b69456b29d77d27a893b8147a60e84456c8d04688ff6ee6a0cafafda528b2523c3041cb32001f02b97f0ae6

Download Submit
memory/1416-154-0x0000000000000000-mapping.dmp

Download
memory/1536-140-0x0000000000380000-0x0000000000437000-memory.dmp

Filesize
732KB

Download
memory/1536-155-0x0000000000380000-0x0000000000437000-memory.dmp

Filesize
732KB

Download
memory/1536-136-0x0000000000000000-mapping.dmp

Download
memory/2108-133-0x0000000000000000-mapping.dmp

Download
memory/3624-145-0x0000000000000000-mapping.dmp

Download
memory/4504-151-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-146-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-150-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-152-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-153-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-144-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-141-0x0000000000000000-mapping.dmp

Download
memory/4504-156-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4504-157-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4688-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4688-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads