9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e

Analysis

max time kernel
151s
max time network
76s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
Size

284KB
MD5

5897f884e2ff480b59ab3ce3a3c784f6
SHA1

4ee772d819de27618fb74214d58dfc980ab408ba
SHA256

9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e
SHA512

47ed906135624b66097e7c3e4f2213ce5270532d6664ba399a55a58165705091e9356874430a9661acd37e207c3930f051b7412921517e888af33777d039e723
SSDEEP

6144:RP9qiyChL5Rjda3P/fis6Do/uP+tFb84ly7a7:99qiyCF5xI3PH96DoWPYb8Y

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fiigor.exe

Executes dropped EXE 1 IoCs

pid	Process
276	fiigor.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /g"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /X"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /V"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /y"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /U"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /L"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /c"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /D"	fiigor.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /r"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /G"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /k"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /o"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /A"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /m"	fiigor.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /W"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /j"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /I"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /z"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /S"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /H"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /B"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /s"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /q"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /O"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /i"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /v"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /u"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /F"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /Z"	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /e"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /Z"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /K"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /T"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /P"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /h"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /w"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /l"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /Y"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /b"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /M"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /t"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /J"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /E"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /N"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /x"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /d"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /p"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /a"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /R"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /C"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /n"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /f"	fiigor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiigor = "C:\\Users\\Admin\\fiigor.exe /Q"	fiigor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe
276	fiigor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
276	fiigor.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 276	1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe	27
PID 1000 wrote to memory of 276	1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe	27
PID 1000 wrote to memory of 276	1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe	27
PID 1000 wrote to memory of 276	1000	9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe	27

C:\Users\Admin\AppData\Local\Temp\9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe
"C:\Users\Admin\AppData\Local\Temp\9db7b6c785dfe553776916a91fbc18416055f1735fa7e1428feed7dea9afab6e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\fiigor.exe
  "C:\Users\Admin\fiigor.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fiigor.exe

Filesize
284KB

MD5
60eb7bc5fca67724bfb5b5837dba9717

SHA1
c01d7cd81a5cdb54bdb3024fbfe89953126dbd14

SHA256
19555cd6a73360594e3109c603160a09ae5bb044e4f2ec53debde7892b3c4571

SHA512
c462efdc12b9e59c712d610dba7773832ac69c58dbfa27a5e58aaa17564b1cff818cdbe7564291c381a682c2424d3b88aac6ddacb64930c3981d060180c68fb8

Download Submit
C:\Users\Admin\fiigor.exe

Filesize
284KB

MD5
60eb7bc5fca67724bfb5b5837dba9717

SHA1
c01d7cd81a5cdb54bdb3024fbfe89953126dbd14

SHA256
19555cd6a73360594e3109c603160a09ae5bb044e4f2ec53debde7892b3c4571

SHA512
c462efdc12b9e59c712d610dba7773832ac69c58dbfa27a5e58aaa17564b1cff818cdbe7564291c381a682c2424d3b88aac6ddacb64930c3981d060180c68fb8

Download Submit
\Users\Admin\fiigor.exe

Filesize
284KB

MD5
60eb7bc5fca67724bfb5b5837dba9717

SHA1
c01d7cd81a5cdb54bdb3024fbfe89953126dbd14

SHA256
19555cd6a73360594e3109c603160a09ae5bb044e4f2ec53debde7892b3c4571

SHA512
c462efdc12b9e59c712d610dba7773832ac69c58dbfa27a5e58aaa17564b1cff818cdbe7564291c381a682c2424d3b88aac6ddacb64930c3981d060180c68fb8

Download Submit
\Users\Admin\fiigor.exe

Filesize
284KB

MD5
60eb7bc5fca67724bfb5b5837dba9717

SHA1
c01d7cd81a5cdb54bdb3024fbfe89953126dbd14

SHA256
19555cd6a73360594e3109c603160a09ae5bb044e4f2ec53debde7892b3c4571

SHA512
c462efdc12b9e59c712d610dba7773832ac69c58dbfa27a5e58aaa17564b1cff818cdbe7564291c381a682c2424d3b88aac6ddacb64930c3981d060180c68fb8

Download Submit
memory/1000-56-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download