f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387

General

Target

f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe
Size

2.6MB
MD5

949df135dff1614776b3a9d69e211573
SHA1

539283c03e723738d2baf00cfdee80d72839ee0e
SHA256

f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387
SHA512

baeb30ed8475b596623fb06638a6ce3af947ff8d7de20b44519c33fff35f04e58c6e39cc9c39beb95319731667fd449d6c90bf1364b9db45b6d7bd6d7bacf1d8
SSDEEP

49152:8q1lWwe0lsFIVWsmm9ZsPdf5e+xGBGodXbPYf94sKGY+OPvq91:8QWorDkPp+91Pw94pvqP

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
540	Setup.exe
4348	photoshine_setup.exe
4296	nfbi.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4548-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4548-141-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4548-145-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\xzoyy\jy.ini	Setup.exe
File opened for modification	C:\Program Files\xzoyy\mizos\wuscas.dll	Setup.exe
File opened for modification	C:\Program Files\xzoyy\xoee\gasev.dll	Setup.exe
File created	C:\Program Files\xzoyy\cotivs.exe	Setup.exe
File created	C:\Program Files\xzoyy\hacoef.exe	Setup.exe
File opened for modification	C:\Program Files\xzoyy\hacoef.exe	Setup.exe
File created	C:\Program Files\xzoyy\mizos\wuscas.dll	Setup.exe
File created	C:\Program Files\xzoyy\mizos\wusvus.dll	Setup.exe
File opened for modification	C:\Program Files\xzoyy\mizos\wusvus.dll	Setup.exe
File opened for modification	C:\Program Files\xzoyy\ieftk.exe	Setup.exe
File opened for modification	C:\Program Files\xzoyy\nfbi.exe	Setup.exe
File opened for modification	C:\Program Files\xzoyy\xoee\wexvu.dll	Setup.exe
File opened for modification	C:\Program Files\xzoyy\cotivs.exe	Setup.exe
File created	C:\Program Files\xzoyy\jy.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
540	Setup.exe
540	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 540	4548	f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe	79
PID 4548 wrote to memory of 540	4548	f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe	79
PID 4548 wrote to memory of 540	4548	f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe	79
PID 540 wrote to memory of 4348	540	Setup.exe	80
PID 540 wrote to memory of 4348	540	Setup.exe	80
PID 540 wrote to memory of 4348	540	Setup.exe	80
PID 540 wrote to memory of 4296	540	Setup.exe	81
PID 540 wrote to memory of 4296	540	Setup.exe	81
PID 540 wrote to memory of 4296	540	Setup.exe	81

C:\Users\Admin\AppData\Local\Temp\f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe
"C:\Users\Admin\AppData\Local\Temp\f2c0f426fc782c8c1ce256f1bcb0b2b174c38a156c2d6d545e4c3547ebf8d387.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\photoshine_setup.exe
    C:\Users\Admin\AppData\Local\Temp\RarSFX0\photoshine_setup.exe
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Program Files\xzoyy\nfbi.exe
    "C:\Program Files\xzoyy\nfbi.exe" /install /Silent
    3⤵
    - Executes dropped EXE
    PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\xzoyy\nfbi.exe

Filesize
716KB

MD5
60e218ccfc6fcd00285456efd836836c

SHA1
17c12dc30ef4622fd2ef9aa6ebd78ad71a862111

SHA256
0fe53a98e96990c04412aea7b022ad16d4be1cbdd1702f7f0237e846ac4550d2

SHA512
540f4f5c89cf91ec75f82b924f313cd30c53d27011330293974eb88f8bdecda5ea74788142254bcb591249cdf33439a15843d1d3f8699031e52410598ece303b

Download Submit
C:\Program Files\xzoyy\nfbi.exe

Filesize
716KB

MD5
60e218ccfc6fcd00285456efd836836c

SHA1
17c12dc30ef4622fd2ef9aa6ebd78ad71a862111

SHA256
0fe53a98e96990c04412aea7b022ad16d4be1cbdd1702f7f0237e846ac4550d2

SHA512
540f4f5c89cf91ec75f82b924f313cd30c53d27011330293974eb88f8bdecda5ea74788142254bcb591249cdf33439a15843d1d3f8699031e52410598ece303b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\GTemp.dat

Filesize
1.9MB

MD5
b735cff453df2becac0eff6dcd73d7cc

SHA1
0a0ff56a054ea6de540330e7faf4e334b7715a12

SHA256
f29df1147cbaf94c381f22a576d31c782d47f7138471067977e1495c3c6b42d5

SHA512
5c14f3a1512df85e86396aca4588fec487b4e445e67c07f7cb8031bfb487cc479cfe23273e84ec20160b91e9303e7af39ecbe02be0e7f3ed6732a76a902746b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.EXE

Filesize
708KB

MD5
fe3ef83d71c421d53b8b6d90bed19bdd

SHA1
03150b2758b1d8828e5384903c4c8fe466e98b81

SHA256
59add1ac71b87061a8407aeb521c4dabe07f3f7dc1f98c899bb70fef88452818

SHA512
764d114b020ab0f7aff70295b725fabab78673c2023a0caa0c95c3bd0867ea6340a8bb1c89add9d194ce2d05955f184e2ac06ef42b2cc5e217e222fa78874da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
708KB

MD5
fe3ef83d71c421d53b8b6d90bed19bdd

SHA1
03150b2758b1d8828e5384903c4c8fe466e98b81

SHA256
59add1ac71b87061a8407aeb521c4dabe07f3f7dc1f98c899bb70fef88452818

SHA512
764d114b020ab0f7aff70295b725fabab78673c2023a0caa0c95c3bd0867ea6340a8bb1c89add9d194ce2d05955f184e2ac06ef42b2cc5e217e222fa78874da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jtemp.dat

Filesize
1.4MB

MD5
80ab2af7ff1df840f352d7b73748c188

SHA1
06ad2f229cf97ef93af22a39f2e3cc97902946c1

SHA256
078880ad80f4cc75c4390e13a300121a000a64c6a9485ac6dccc61209622b09b

SHA512
4b3aea7d05e2c13cd334a100153e788729ba84e3236548fa56a71b77acf30f5b51d8f25314e03dbe34354218b807a7d92df8154dac05fffb5e2df56d702a8bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\photoshine_setup.exe

Filesize
1.9MB

MD5
b735cff453df2becac0eff6dcd73d7cc

SHA1
0a0ff56a054ea6de540330e7faf4e334b7715a12

SHA256
f29df1147cbaf94c381f22a576d31c782d47f7138471067977e1495c3c6b42d5

SHA512
5c14f3a1512df85e86396aca4588fec487b4e445e67c07f7cb8031bfb487cc479cfe23273e84ec20160b91e9303e7af39ecbe02be0e7f3ed6732a76a902746b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini

Filesize
247B

MD5
3c23085813fa011e927cca507483ae86

SHA1
c7467845bd419f6d8fe0ee8d49d966e9d3689c97

SHA256
e5149027d879ddc49922c733939342f7bd794608061ab7b6ab6278856cd24673

SHA512
4a067336b4b6222bc39931a10b0f8475e6070a74bb866ea015150f785ebfbdfa48be3a69c97a9d3ed2864dba4027e62b229a5d02adbff6f480798f43d31f094b

Download Submit
memory/4548-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4548-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4548-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing