Overview

overview

8

Static

static

f09512423d...ae.exe

windows7-x64

8

f09512423d...ae.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe

  • Size

    1.9MB

  • MD5

    30eaa685e0d2d0f85c65b1cc451c65dc

  • SHA1

    659dfd4fd4a1e936ea05998df8fa05007f703308

  • SHA256

    f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae

  • SHA512

    79fc813ccebd6e5693adc0c9a8f8892275ac0d1e18e7bc31f135a4f2f559d6348521d157239b652e2c879adf2539372451a3f05a915e79df5e1fd10e619dcf5a

  • SSDEEP

    49152:52OH89KmXrqT/VOB9raKOKJAw0tpKJIoMbwH0vU2AU/iQ2N5d8K5:52YaKmbgUraMJP0tUJGbwUNWt5

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe
        "C:\Users\Admin\AppData\Local\Temp\f09512423dbc9686a28213a5001494c4ccd8ff77afb73a957ce5cb44c02cf2ae.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe
          "C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4356
        • C:\Program Files (x86)\100k1Cheat\runme.exe
          "C:\Program Files (x86)\100k1Cheat\runme.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          PID:260
        • C:\Program Files (x86)\100k1Cheat\4konya.exe
          "C:\Program Files (x86)\100k1Cheat\4konya.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Program Files directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat" "
            4⤵
            • Drops file in Drivers directory
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs"
              5⤵
              • Drops file in Drivers directory
              PID:1984
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs"
              5⤵
                PID:1812
          • C:\Program Files (x86)\100k1Cheat\mac.exe
            "C:\Program Files (x86)\100k1Cheat\mac.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
              dw20.exe -x -s 1576
              4⤵
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:4940
      • C:\PROGRA~3\Mozilla\fabyope.exe
        C:\PROGRA~3\Mozilla\fabyope.exe -pbtetmh
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 556
          2⤵
          • Program crash
          PID:672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1512 -ip 1512
        1⤵
          PID:4160

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~3\Mozilla\fabyope.exe
          Filesize

          171KB

          MD5

          373c8e014449a379b8b630882dc7e33b

          SHA1

          2eddbd53f2a4c8efe671162ee89ef469a1fc4813

          SHA256

          d5da209decd9aa04b7340a187f97b303ec0085a35c388cde7c1ebfcf3c72d0d2

          SHA512

          e8aef9df46e9d0b0eeccdd475a62dcea68ff3330387238d7d3f692483774d6059c7e3dbe0441b6c214e7b16562bf48332ca7c34fe08a29e798e0342703cdc3d8

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe
          Filesize

          1.3MB

          MD5

          be3a5557474d103e6f1ee8367a9e2140

          SHA1

          54289142391461e1fa2038c2edfaad3e693196d1

          SHA256

          dcf11b6d55aacddcd84d003bdb0540f49473aca37637da1ca5cdacbee4f51f39

          SHA512

          027963f6cee8e48bca35e1bf0df37eb6041634821093ffb0c76ce7634cef108dceee731265b9d2238bb2353e44e2b7f5592c4f0d56051048e053981ac8a71d09

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\100k1Cheat.exe
          Filesize

          1.3MB

          MD5

          be3a5557474d103e6f1ee8367a9e2140

          SHA1

          54289142391461e1fa2038c2edfaad3e693196d1

          SHA256

          dcf11b6d55aacddcd84d003bdb0540f49473aca37637da1ca5cdacbee4f51f39

          SHA512

          027963f6cee8e48bca35e1bf0df37eb6041634821093ffb0c76ce7634cef108dceee731265b9d2238bb2353e44e2b7f5592c4f0d56051048e053981ac8a71d09

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\4konya.exe
          Filesize

          158KB

          MD5

          07373d3d78d48c0f53b85ad58f24e5bb

          SHA1

          a5b4973d41478b08002b7b5382e34c78ff10eb9c

          SHA256

          e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c

          SHA512

          f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\4konya.exe
          Filesize

          158KB

          MD5

          07373d3d78d48c0f53b85ad58f24e5bb

          SHA1

          a5b4973d41478b08002b7b5382e34c78ff10eb9c

          SHA256

          e0261994d918a82b593978e14ab648dd584a2a2b90800ffc629cb7690882f46c

          SHA512

          f29461e0fa9ef36aff0f1a3e9d1f8ae28209629c7281d4bd153d6766275eb2d0544c6c132da9029b47c64ca80c52b46281a78a5a9bc8cd11bcffe63f301c2fc9

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\Interop.IWshRuntimeLibrary.dll
          Filesize

          48KB

          MD5

          d923d4b8d2eba5847c92b8fdd3a0378f

          SHA1

          e99c5b639918616d41e06f1274c6ec5b9706c706

          SHA256

          73de6d8cd7795bed2fe4dd894a3febfc0083b7916b9bedc77a61fa1d23deee84

          SHA512

          2fcc23f1fa829fada9e77814af8062a077871128eddc6233c8bf1673af1ee0475489d2c6b8585e1d4066f2acf0657e024ac7fa93659c0ca0fb68bf582ce068bf

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\mac.exe
          Filesize

          86KB

          MD5

          47af31afd8658aa7924283ce9f33ab0c

          SHA1

          bffc90a3ad32d6b085972a1401563bdafc97cd14

          SHA256

          041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

          SHA512

          4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\mac.exe
          Filesize

          86KB

          MD5

          47af31afd8658aa7924283ce9f33ab0c

          SHA1

          bffc90a3ad32d6b085972a1401563bdafc97cd14

          SHA256

          041ee5479c2fd3df52c3ece70f6948eadb200aee7ad2cbaa7b25326383cddd95

          SHA512

          4b1b101bc3bbf14ce31f8d6620467e1d812fc220e46ac580c8c77fe71ba45f75876365f71bdbee871374a7c19c5e0160a376a55c9b428db6f61644d9c3e3a695

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\runme.exe
          Filesize

          171KB

          MD5

          42d8ddd16cba2f8b650e6bf22d863314

          SHA1

          739682da0289f88dc2f8b91f06afb647973febe6

          SHA256

          5eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17

          SHA512

          5ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75

          Download Submit

        • C:\Program Files (x86)\100k1Cheat\runme.exe
          Filesize

          171KB

          MD5

          42d8ddd16cba2f8b650e6bf22d863314

          SHA1

          739682da0289f88dc2f8b91f06afb647973febe6

          SHA256

          5eca8093d677fc3c6c42e5b5d14e1f05164844bf5fcf5789ca60a6ad9d479e17

          SHA512

          5ddb9dd75d921e07ee64d29bf8f3b6fb80550dded14731cbde7109151cb8abedd6049cdacdfe6dd2daaa30d5d6a0c11b4ce6caff0396b56f9a35390c54e32d75

          Download Submit

        • C:\Program Files (x86)\Hn\Ip\indurk.akk
          Filesize

          52B

          MD5

          7aa07f785cfc0913e892ce24cb5c8e94

          SHA1

          91d6ce52e1af94cd41d2dd0a6d3d455433c275cc

          SHA256

          c10db1061105cddf2b206975d9f4f435622e40f86d56102755a5d7b149b0e2a8

          SHA512

          86359083430e1c48a0f5b98934d38fcfd8df76b60b72d7bda5ac6a865a4276fdbdf8a65398b60e9bbff56b54098a2f59077a33037ed1145a4b0a2dba23b3eaaa

          Download Submit

        • C:\Program Files (x86)\Hn\Ip\nash_sitee.vbs
          Filesize

          1KB

          MD5

          e4b07c4d8c2a30fd33975ca46684ce70

          SHA1

          c31d3591f02a3ffa9f830a5de658f8963638573e

          SHA256

          f1a9e5597d260ae2412ab0b58a68f696d50cbe64bc8b8c80cec843d18d5d6fdc

          SHA512

          c2d088174d5fbd79d1736019bdd78109f9462b649da079a6a3c123f15f1c9b1d4c0660c9b703eba83cb474bd789b769f4270a2e9a714d68beac355ee2e45c9ac

          Download Submit

        • C:\Program Files (x86)\Hn\Ip\nechelovecheskieebanyai.bat
          Filesize

          1KB

          MD5

          903c3fde8f34ea51a43f4bd6ef8d1ca4

          SHA1

          3d1c08f85c9a0d21a3939736ec7a2d8e31e6e266

          SHA256

          64e6320a38d34becae991604650ab485b92f3c7f5fdbd50e4abe2e2cfab47ee8

          SHA512

          aa29b9acdb1f5b85ecc413f0caab022aa16568f81709f66cb9376ed3d7c679763e2d200ffb82547111f2c7fa557cd904a028b21d0a5bf5662614e748df859577

          Download Submit

        • C:\Program Files (x86)\Hn\Ip\poajfmas.dd
          Filesize

          27B

          MD5

          213c0742081a9007c9093a01760f9f8c

          SHA1

          df53bb518c732df777b5ce19fc7c02dcb2f9d81b

          SHA256

          9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

          SHA512

          55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

          Download Submit

        • C:\Program Files (x86)\Hn\Ip\sklspaanngwdf.vbs
          Filesize

          162B

          MD5

          5f382b9588ea4f91896c681fb07d0c4c

          SHA1

          84fd66ccc46556b7fb80a79a9c803a3fee54a929

          SHA256

          d0b58b45574fc822e7551096a35e93c7ebae8219696dd165dfc3796119396944

          SHA512

          5d2e845cfbe8ce2980ab4bfb528105a7198ee4134348437eb2d50d34f1e49dc3be7a94605c41d9c2956ac7cee61dc02b8088b2a277388c4f3171caf97dc8efac

          Download Submit

        • C:\ProgramData\Mozilla\fabyope.exe
          Filesize

          171KB

          MD5

          373c8e014449a379b8b630882dc7e33b

          SHA1

          2eddbd53f2a4c8efe671162ee89ef469a1fc4813

          SHA256

          d5da209decd9aa04b7340a187f97b303ec0085a35c388cde7c1ebfcf3c72d0d2

          SHA512

          e8aef9df46e9d0b0eeccdd475a62dcea68ff3330387238d7d3f692483774d6059c7e3dbe0441b6c214e7b16562bf48332ca7c34fe08a29e798e0342703cdc3d8

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          1KB

          MD5

          868bd8c2d043aea8fc42de40a454ddf5

          SHA1

          3010c74068a905aa5fa3539b8c5ec3e022608dc8

          SHA256

          3c03898e7ba201e7b9a9ca787ee4507b034f64f803e8b17198790281a08f5e82

          SHA512

          201995705b4f679dfb7974246e92c7e4e5944ae71d5e4ea98864b0450ae9975922827e0a6e62c00cad2c1e878e4586671d2f335faf9a7b5089e6f1ae45a6ac06

          Download Submit

        • memory/260-144-0x00000000020D0000-0x000000000212F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/260-157-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/260-159-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/260-145-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/936-149-0x00007FFC85F70000-0x00007FFC869A6000-memory.dmp

          Filesize

          10.2MB

          Download

        • memory/1512-162-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/1512-161-0x0000000001F40000-0x0000000001F9F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/1512-165-0x0000000000400000-0x000000000045F000-memory.dmp

          Filesize

          380KB

          Download

        • memory/2212-164-0x0000000000C80000-0x0000000000C9C000-memory.dmp

          Filesize

          112KB

          Download