fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6

General

Target

fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
Size

11KB
MD5

73a906234f74026f30897fc291e270f0
SHA1

f86253f272089269e2bc569d63246e12992e754b
SHA256

fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6
SHA512

d0dbae34800bfbf281ca5c4b624697597576ab47940daa26246e5d488ec5fbb22ce4cc0cabc382c7fa662af0112ff8ae04df836c6b40f36fe16c2b81d8c89cb3
SSDEEP

192:B0dK4TA90YN2aqXzQ1bC9WP5BIRJMgwrSPYjXidSx7cu24ap:BDyYN6XzQ5jBgdeidSx7ZDY

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\chike.dll"	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe

Loads dropped DLL 2 IoCs

pid	Process
3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
3004	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chike.dll	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
File opened for modification	C:\Windows\SysWOW64\chike.dll	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
3004	svchost.exe
3004	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 4948	3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe	80
PID 3208 wrote to memory of 4948	3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe	80
PID 3208 wrote to memory of 4948	3208	fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe	80

C:\Users\Admin\AppData\Local\Temp\fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe
"C:\Users\Admin\AppData\Local\Temp\fc5b24f3de2108e94d3b7103f31cbf4607358625a1e836b5b472bcd064c9c4a6.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240589078.bat" "
  2⤵
  PID:4948

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240589078.bat

Filesize
295B

MD5
3cd43d8f673e909959a1248004ed8e35

SHA1
412043eca7c275f1dd2a3f69bca8d2003ed9c077

SHA256
9d28e5d006990edc18c5ff516cfdfd1f86fba76c88b32b44789836bd2c8971bc

SHA512
d6bbf7af9c88a8d57b7d0a0db68876e0876e8db7b7426d4532bc73f852520f1cd3f6329687a67cbb22a6cdeb1636f3cbd4833c4fb58097f7d614f116fdf5ea1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll859.dll

Filesize
19KB

MD5
a09c89c56a528ece56e3070782390fef

SHA1
dac3a77822a4b55e839b33268f80660dae26d8e9

SHA256
aaa5f26b7953bb6d9fce20233a77a55c7e040ab2ee1ad7277a1d2ac422732768

SHA512
63746e350723a36a3318f00423390bfb08f86c1b0315360e8f006c8e0b0db0ac6c282e4c7b52331876b4b5cdeaaf6d986fbdcdf5b3067d0fe86b2bebe3e47a0b

Download Submit
C:\Windows\SysWOW64\chike.dll

Filesize
19KB

MD5
a09c89c56a528ece56e3070782390fef

SHA1
dac3a77822a4b55e839b33268f80660dae26d8e9

SHA256
aaa5f26b7953bb6d9fce20233a77a55c7e040ab2ee1ad7277a1d2ac422732768

SHA512
63746e350723a36a3318f00423390bfb08f86c1b0315360e8f006c8e0b0db0ac6c282e4c7b52331876b4b5cdeaaf6d986fbdcdf5b3067d0fe86b2bebe3e47a0b

Download Submit
C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\chike.dll

Filesize
19KB

MD5
a09c89c56a528ece56e3070782390fef

SHA1
dac3a77822a4b55e839b33268f80660dae26d8e9

SHA256
aaa5f26b7953bb6d9fce20233a77a55c7e040ab2ee1ad7277a1d2ac422732768

SHA512
63746e350723a36a3318f00423390bfb08f86c1b0315360e8f006c8e0b0db0ac6c282e4c7b52331876b4b5cdeaaf6d986fbdcdf5b3067d0fe86b2bebe3e47a0b

Download Submit

Analysis

Sharing