ee7f3b60546d725314ff77000a08ae006ba62d9b8483090eb6ac36e059882a45

Analysis

max time kernel
60s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-02-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe
Size

193KB
MD5

5f885b6cb2a3bb34671cd27411e34dcd
SHA1

9a9184d17076f1e4abd5e5bdebda45dcf6d011d1
SHA256

7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422
SHA512

884b2335c0fa622d3b01b8e91412a9005100b48d453a5a59117a056d925c4c26291be526f0439537577d06bb31615f9cc91bdcd7d2ed94fe79f1fce881211175
SSDEEP

3072:GmvxCA3LZUTzRFpUjsOTwZIFLakLn6tFKM6yvstsTRkPYemC:GmJCA16R/UjsOTwZIJ6tFisTRlC

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1048	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1972	FCGCFCAFII.exe
1884	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe
1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe
960	cmd.exe
960	cmd.exe
1972	FCGCFCAFII.exe
1972	FCGCFCAFII.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	FCGCFCAFII.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1932	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 960	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	28
PID 1080 wrote to memory of 960	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	28
PID 1080 wrote to memory of 960	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	28
PID 1080 wrote to memory of 960	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	28
PID 1080 wrote to memory of 1048	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	30
PID 1080 wrote to memory of 1048	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	30
PID 1080 wrote to memory of 1048	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	30
PID 1080 wrote to memory of 1048	1080	7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe	30
PID 1048 wrote to memory of 1932	1048	cmd.exe	32
PID 1048 wrote to memory of 1932	1048	cmd.exe	32
PID 1048 wrote to memory of 1932	1048	cmd.exe	32
PID 1048 wrote to memory of 1932	1048	cmd.exe	32
PID 960 wrote to memory of 1972	960	cmd.exe	33
PID 960 wrote to memory of 1972	960	cmd.exe	33
PID 960 wrote to memory of 1972	960	cmd.exe	33
PID 960 wrote to memory of 1972	960	cmd.exe	33
PID 1972 wrote to memory of 1884	1972	FCGCFCAFII.exe	34
PID 1972 wrote to memory of 1884	1972	FCGCFCAFII.exe	34
PID 1972 wrote to memory of 1884	1972	FCGCFCAFII.exe	34
PID 1972 wrote to memory of 1884	1972	FCGCFCAFII.exe	34

C:\Users\Admin\AppData\Local\Temp\7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe
"C:\Users\Admin\AppData\Local\Temp\7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe
    "C:\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7bf368eb69281afd2f6847d6ac71cfe202ef22917fe373d03b8c519991f3b422.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe

Filesize
2.0MB

MD5
c4377d5563d3c6b6af68a0a103a69c59

SHA1
302a6299b0550510514f26df2d91f88c66248770

SHA256
6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

SHA512
4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe

Filesize
2.0MB

MD5
c4377d5563d3c6b6af68a0a103a69c59

SHA1
302a6299b0550510514f26df2d91f88c66248770

SHA256
6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

SHA512
4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
434.8MB

MD5
3ae2a7b12ba4b408c4e3394032dc59f7

SHA1
c437a39b39eff73bb6b76ea9e01cd9adcb315aca

SHA256
7ed26aebd2d17b7d412461343c54b9b33808f3459814e9aa6839e7c2d91005e4

SHA512
075b8e8547b5e30b74056597a8700114123aae957b82f44462a22c610f081c62c02d855672ccb240f171a2c6dfd2525180587433e9b367051b90822058eaad44

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe

Filesize
2.0MB

MD5
c4377d5563d3c6b6af68a0a103a69c59

SHA1
302a6299b0550510514f26df2d91f88c66248770

SHA256
6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

SHA512
4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8

Download Submit
\Users\Admin\AppData\Local\Temp\FCGCFCAFII.exe

Filesize
2.0MB

MD5
c4377d5563d3c6b6af68a0a103a69c59

SHA1
302a6299b0550510514f26df2d91f88c66248770

SHA256
6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

SHA512
4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
408.6MB

MD5
1b1d1f621917627d5548dea911a790f8

SHA1
efb7ea96df795fdd2e675bec3718a600c7c8ba54

SHA256
03f2d04c73911c5c9f116be8582578a764fbd8c4ddca8b8a1fdac84a46fb57c2

SHA512
727354764e8c4c6889b6d3544cfc56e46ead3a441547aa68a033403e33830e43caf394dd6bd43b6e17332f75472551fa7f048b62bb289fe410a3310ddc44eb27

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
415.0MB

MD5
8f061412f90048ac5c8c38d8932f29c5

SHA1
b9107b81f91e11302ea31b7e21f7f82d2d8b8f3d

SHA256
a050828061b6b9ddfa2eddef158aab53fcbf0c52f53d182d560ed4718f3800e5

SHA512
4261d70b7ad1cff202e59dacddd80fb37b5fb3562041f200ab377fb589a979e2f5f4c91d2cb36107dcbf6fb8e7968ef9407b2ccadc0cba136f0a273cf45a4eec

Download Submit
memory/960-78-0x0000000000000000-mapping.dmp

Download
memory/1048-79-0x0000000000000000-mapping.dmp

Download
memory/1080-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1080-80-0x000000000080B000-0x000000000081E000-memory.dmp

Filesize
76KB

Download
memory/1080-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1080-58-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1080-57-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1080-55-0x000000000080B000-0x000000000081E000-memory.dmp

Filesize
76KB

Download
memory/1080-56-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1884-96-0x0000000002240000-0x00000000023EA000-memory.dmp

Filesize
1.7MB

Download
memory/1884-94-0x0000000000000000-mapping.dmp

Download
memory/1884-98-0x0000000002240000-0x00000000023EA000-memory.dmp

Filesize
1.7MB

Download
memory/1884-99-0x0000000002410000-0x00000000027E0000-memory.dmp

Filesize
3.8MB

Download
memory/1884-100-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1884-101-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1932-82-0x0000000000000000-mapping.dmp

Download
memory/1972-90-0x00000000024C0000-0x0000000002890000-memory.dmp

Filesize
3.8MB

Download
memory/1972-91-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1972-89-0x0000000002310000-0x00000000024BA000-memory.dmp

Filesize
1.7MB

Download
memory/1972-88-0x0000000002310000-0x00000000024BA000-memory.dmp

Filesize
1.7MB

Download
memory/1972-86-0x0000000000000000-mapping.dmp

Download
memory/1972-97-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download