3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d

General

Target

3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
Size

960KB
MD5

b327d3bdcea573133bfb57525b376d89
SHA1

995708aad2b70047a3bbce5d8715a6bb2d93ea10
SHA256

3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d
SHA512

764547d5081a20889c4cb06abc59511f03aeda8871308cb3624a92230934c563de6439cff381f8398763b7a60f9110e88fb752d086c0faa6bc5a4c57fe1662a7
SSDEEP

24576:mthEVaPqLNHfB/G0gRDmAXEcRPNZtjQXS1HxZpYNhtqJKaJK:uEVUcNHfB/x3AXESdHb4hIHw

Score

8^/10

evasion upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3704	Facebook-Video-Calling_Allmyapps.exe
4904	Facebook-Video-Calling_Allmyapps.exe
2284	facebook video call.exe
1696	facebook.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2812	netsh.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1640-132-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3704-136-0x0000000002210000-0x0000000002341000-memory.dmp	upx
behavioral2/memory/3704-139-0x0000000002210000-0x0000000002341000-memory.dmp	upx
behavioral2/memory/3704-140-0x0000000002210000-0x0000000002341000-memory.dmp	upx
behavioral2/memory/3704-142-0x0000000002210000-0x0000000002341000-memory.dmp	upx
behavioral2/memory/1640-143-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/4904-146-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/4904-149-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/4904-150-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/4904-152-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/4904-153-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/3704-154-0x0000000002210000-0x0000000002341000-memory.dmp	upx
behavioral2/memory/4904-155-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/4904-156-0x0000000002150000-0x0000000002281000-memory.dmp	upx
behavioral2/memory/1640-159-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Facebook-Video-Calling_Allmyapps.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	facebook video call.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facebook video call.exe	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1640-132-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/1640-143-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/1640-159-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is240601937.log	Facebook-Video-Calling_Allmyapps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3704	Facebook-Video-Calling_Allmyapps.exe
3704	Facebook-Video-Calling_Allmyapps.exe
3704	Facebook-Video-Calling_Allmyapps.exe
3704	Facebook-Video-Calling_Allmyapps.exe
1696	facebook.exe
1696	facebook.exe
1696	facebook.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3704	Facebook-Video-Calling_Allmyapps.exe
Token: SeCreatePagefilePrivilege	3704	Facebook-Video-Calling_Allmyapps.exe
Token: SeDebugPrivilege	1696	facebook.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3704	Facebook-Video-Calling_Allmyapps.exe
3704	Facebook-Video-Calling_Allmyapps.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3704	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	82
PID 1640 wrote to memory of 3704	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	82
PID 1640 wrote to memory of 3704	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	82
PID 3704 wrote to memory of 4904	3704	Facebook-Video-Calling_Allmyapps.exe	84
PID 3704 wrote to memory of 4904	3704	Facebook-Video-Calling_Allmyapps.exe	84
PID 3704 wrote to memory of 4904	3704	Facebook-Video-Calling_Allmyapps.exe	84
PID 1640 wrote to memory of 2284	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	91
PID 1640 wrote to memory of 2284	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	91
PID 1640 wrote to memory of 2284	1640	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	91
PID 3704 wrote to memory of 364	3704	Facebook-Video-Calling_Allmyapps.exe	93
PID 3704 wrote to memory of 364	3704	Facebook-Video-Calling_Allmyapps.exe	93
PID 3704 wrote to memory of 364	3704	Facebook-Video-Calling_Allmyapps.exe	93
PID 2284 wrote to memory of 1696	2284	facebook video call.exe	104
PID 2284 wrote to memory of 1696	2284	facebook video call.exe	104
PID 2284 wrote to memory of 1696	2284	facebook video call.exe	104
PID 1696 wrote to memory of 2812	1696	facebook.exe	107
PID 1696 wrote to memory of 2812	1696	facebook.exe	107
PID 1696 wrote to memory of 2812	1696	facebook.exe	107

C:\Users\Admin\AppData\Local\Temp\3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
"C:\Users\Admin\AppData\Local\Temp\3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe
  "C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe
    "C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe" /_ShowProgress
    3⤵
    - Executes dropped EXE
    PID:4904
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "AllmyappsUpdateTask" /f
    3⤵
    PID:364
- C:\Users\Admin\AppData\Local\Temp\facebook video call.exe
  "C:\Users\Admin\AppData\Local\Temp/facebook video call.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Roaming\facebook.exe
    "C:\Users\Admin\AppData\Roaming\facebook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\facebook.exe" "facebook.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
memory/1640-159-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1640-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1640-143-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1696-169-0x00000000701B0000-0x0000000070761000-memory.dmp

Filesize
5.7MB

Download
memory/1696-168-0x00000000701B0000-0x0000000070761000-memory.dmp

Filesize
5.7MB

Download
memory/2284-163-0x00000000701B0000-0x0000000070761000-memory.dmp

Filesize
5.7MB

Download
memory/2284-162-0x00000000701B0000-0x0000000070761000-memory.dmp

Filesize
5.7MB

Download
memory/2284-167-0x00000000701B0000-0x0000000070761000-memory.dmp

Filesize
5.7MB

Download
memory/3704-142-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/3704-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3704-154-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/3704-136-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/3704-139-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/3704-140-0x0000000002210000-0x0000000002341000-memory.dmp

Filesize
1.2MB

Download
memory/4904-150-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-149-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-146-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-156-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4904-152-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-153-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download
memory/4904-155-0x0000000002150000-0x0000000002281000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing