a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe
Size

776KB
MD5

b558ad5849a78f855e40e858e75edcfd
SHA1

9d1582aae14f17585747b15a6161b48317e1485e
SHA256

a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e
SHA512

a002768b2a70d63358979908f431fcd712d46ef986a3546557eb586431514a05b5cded36137e3f288980a5436511b9e4053fafd6a0e58605b3ccb958d6eabf55
SSDEEP

12288:yWdU2TCZyAr2ghlnXTZ4r+jKM2vW5a0mFqL/IVLc/O/mI0zb4pkw7cPZxj:RdUuCgmSU+QmFqL/IVLc/jI0zb4gZR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4444	ffc.exe
4900	ffc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ffc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\freak\\ffc.exe"	ffc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 4444 set thread context of 4900	4444	ffc.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3756 wrote to memory of 3796	3756	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	78
PID 3796 wrote to memory of 4444	3796	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	79
PID 3796 wrote to memory of 4444	3796	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	79
PID 3796 wrote to memory of 4444	3796	a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe	79
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80
PID 4444 wrote to memory of 4900	4444	ffc.exe	80

C:\Users\Admin\AppData\Local\Temp\a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe
"C:\Users\Admin\AppData\Local\Temp\a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe
  C:\Users\Admin\AppData\Local\Temp\a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Roaming\freak\ffc.exe
    "C:\Users\Admin\AppData\Roaming\freak\ffc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Roaming\freak\ffc.exe
      C:\Users\Admin\AppData\Roaming\freak\ffc.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bot.hwid

Filesize
17B

MD5
5c843f3bedd666a7c2b3699d26b6a018

SHA1
007402c989d7559f0300d1a668016484309bc514

SHA256
fa6e8c9f4ece94009c0cc696899bb667d77633df51c0c601558d0c5c0154e88e

SHA512
98ff9da30f7359b42b41d00c36b6709446764b96fd3ca78573d6264c297e214dab3dde79551002fbbae6b3202f3d7a958d18b25bde68710b0ef58ba823ec153a

Download Submit
C:\Users\Admin\AppData\Roaming\freak\ffc.exe

Filesize
776KB

MD5
b558ad5849a78f855e40e858e75edcfd

SHA1
9d1582aae14f17585747b15a6161b48317e1485e

SHA256
a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e

SHA512
a002768b2a70d63358979908f431fcd712d46ef986a3546557eb586431514a05b5cded36137e3f288980a5436511b9e4053fafd6a0e58605b3ccb958d6eabf55

Download Submit
C:\Users\Admin\AppData\Roaming\freak\ffc.exe

Filesize
776KB

MD5
b558ad5849a78f855e40e858e75edcfd

SHA1
9d1582aae14f17585747b15a6161b48317e1485e

SHA256
a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e

SHA512
a002768b2a70d63358979908f431fcd712d46ef986a3546557eb586431514a05b5cded36137e3f288980a5436511b9e4053fafd6a0e58605b3ccb958d6eabf55

Download Submit
C:\Users\Admin\AppData\Roaming\freak\ffc.exe

Filesize
776KB

MD5
b558ad5849a78f855e40e858e75edcfd

SHA1
9d1582aae14f17585747b15a6161b48317e1485e

SHA256
a103074ae5aa78f967109561fe9faa2796362c77339a66ea47743c0307dc790e

SHA512
a002768b2a70d63358979908f431fcd712d46ef986a3546557eb586431514a05b5cded36137e3f288980a5436511b9e4053fafd6a0e58605b3ccb958d6eabf55

Download Submit
memory/3756-136-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3756-132-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3796-137-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3796-138-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3796-135-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3796-134-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3796-150-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4444-146-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4900-148-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4900-151-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download