ce1693a24ab165c0c2eab1ceeef3fd76ae9764688a95ec20be48546c22227789

Analysis

max time kernel
177s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

F-M-E.exe
Size

1.2MB
MD5

0e5cf95239446c09bb6c08bdf4204955
SHA1

65501f0f415d4cdc83e0fff51c952767d536a72c
SHA256

ce1693a24ab165c0c2eab1ceeef3fd76ae9764688a95ec20be48546c22227789
SHA512

9b533cdfa12e7a57d41e7eeea4bb080f442e51f492ae665302797e63929e738a0b0aac98e4cd911da886a48ff5df714c2c1f30d469d384012950d248cb9a4f35
SSDEEP

24576:RcVkKSYGLy3B1XdeGMSP9VLshTXgOVtaYLeVbIJjvkWTNDRAISRdDbcOy2DIozc+:RcB4y1X+SP/LshgOVeVnuAIAd3nylgc+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	F-M-E.exe

Executes dropped EXE 2 IoCs

pid	Process
240	u0Y4DfNbjZAQ4PNg6NB5.exe
1388	name.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3852	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeDebugPrivilege	3852	tasklist.exe
Token: SeRestorePrivilege	240	u0Y4DfNbjZAQ4PNg6NB5.exe
Token: 35	240	u0Y4DfNbjZAQ4PNg6NB5.exe
Token: SeSecurityPrivilege	240	u0Y4DfNbjZAQ4PNg6NB5.exe
Token: SeSecurityPrivilege	240	u0Y4DfNbjZAQ4PNg6NB5.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1476	3200	F-M-E.exe	108
PID 3200 wrote to memory of 1476	3200	F-M-E.exe	108
PID 3200 wrote to memory of 1476	3200	F-M-E.exe	108
PID 1476 wrote to memory of 5112	1476	cmd.exe	111
PID 1476 wrote to memory of 5112	1476	cmd.exe	111
PID 1476 wrote to memory of 5112	1476	cmd.exe	111
PID 1476 wrote to memory of 4364	1476	cmd.exe	112
PID 1476 wrote to memory of 4364	1476	cmd.exe	112
PID 1476 wrote to memory of 4364	1476	cmd.exe	112
PID 4364 wrote to memory of 3944	4364	cmd.exe	113
PID 4364 wrote to memory of 3944	4364	cmd.exe	113
PID 4364 wrote to memory of 3944	4364	cmd.exe	113
PID 1476 wrote to memory of 3852	1476	cmd.exe	114
PID 1476 wrote to memory of 3852	1476	cmd.exe	114
PID 1476 wrote to memory of 3852	1476	cmd.exe	114
PID 1476 wrote to memory of 952	1476	cmd.exe	115
PID 1476 wrote to memory of 952	1476	cmd.exe	115
PID 1476 wrote to memory of 952	1476	cmd.exe	115
PID 1476 wrote to memory of 4168	1476	cmd.exe	116
PID 1476 wrote to memory of 4168	1476	cmd.exe	116
PID 1476 wrote to memory of 4168	1476	cmd.exe	116
PID 1476 wrote to memory of 240	1476	cmd.exe	117
PID 1476 wrote to memory of 240	1476	cmd.exe	117
PID 1476 wrote to memory of 240	1476	cmd.exe	117
PID 1476 wrote to memory of 1388	1476	cmd.exe	118
PID 1476 wrote to memory of 1388	1476	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\F-M-E.exe
"C:\Users\Admin\AppData\Local\Temp\F-M-E.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS08C067E8\run.bat" x -pZhd2kZSak8js u0Y4DfNbjZAQ4PNg6NB5 -o. -y AsDxzcDAzSDzdD FME"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=40 lines=3
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq name.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\SysWOW64\find.exe
    find /i "name.exe"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy *.* ..\ /Y
    3⤵
    - Enumerates system info in registry
    PID:4168
- - C:\Users\Admin\AppData\Local\Temp\u0Y4DfNbjZAQ4PNg6NB5.exe
    u0Y4DfNbjZAQ4PNg6NB5.exe x -pZhd2kZSak8js u0Y4DfNbjZAQ4PNg6NB5 -o. -y
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Users\Admin\AppData\Local\Temp\name.exe
    name.exe AsDxzcDAzSDzdD
    3⤵
    - Executes dropped EXE
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS08C067E8\run.bat

Filesize
693B

MD5
b4226b490a1d93cf99c2c9cbc7c0dac2

SHA1
51cbf66243f36f833ac96bf0f80d0db8357d9d07

SHA256
643a6a83e0e87edc5296cd499d3dc4e562e02b32b5c510e311073bdf35521347

SHA512
49e5820f5c4c4dbd9ebd9e2096ec6f6929e62a04133eb3afd19c9843d0db638ee030f5e431dcbd4c8f984f1870a1108b7a3efdfa1ff8fd128a6fd7ae1d3c5a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS08C067E8\u0Y4DfNbjZAQ4PNg6NB5

Filesize
844KB

MD5
f795a689fae22d85a663a0cec6b04edd

SHA1
1cd30edbc43673d83f8879d13415e5fa95244c96

SHA256
630badf7ccac90bfc0a38d823154a816c1838d2f72b13f6486c89ac506be331c

SHA512
2b9c3e2a7faf490b468839e2f0fb5e1826b116d81b33a967725d74fd28354ec337d69fd70041fc1d36527849c6becdafbbe80054b8cc9c010a1874aa1695719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS08C067E8\u0Y4DfNbjZAQ4PNg6NB5.exe

Filesize
593KB

MD5
1f7b03f055cdfbfe54f6ae96e52119d6

SHA1
ed27df5ffb0c30fd2df1c0952b497cfd0bd868e5

SHA256
40bc7b7150e23880fd35ff98301d7d1a8fd28a047e07ec1b9d7c1680806828ee

SHA512
4a6391cc7f2ded06065f02baf4ae1cbd886e6c083122638872680501a75b0b0da62d517e5526d411c33fc6a568b91de8b01e297d8c88ed5e1673efa53401cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsDxzcDAzSDzdD

Filesize
37.9MB

MD5
1f34980dc477b019849ae4e9d04e35ac

SHA1
39b9e6fee8dfa47290a2a93ce09fef4fbdc693df

SHA256
c06026553ca2769d2716fe82d8bc421b8a48f891e9f38d159bb1218c89d3cd5d

SHA512
b65a0a5eb3acc8bf550d6846b8bfccbadeed33603362551e15e390dc68a000f6dd4336a2049f67aa853fa12b3d5eaa7b2280b490dc1eedc9a468fb6cf7b53da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\name.exe

Filesize
1.3MB

MD5
7a906783000136e751744c80048600e7

SHA1
b1b80f34b9e068a40dfebe42dbf2b587a0a1d6bb

SHA256
83b9a6831948cf3217d05461269d937e53db02391b3f30ebd25283272001174d

SHA512
46913f1ba1a184ba2f4eac56161c8cd08f009b8900886bc70ee760e5229a639dfb789ababf2e45ea6e3cdb77037fe60348531d580c9c5162c2a3be1330c5fefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
693B

MD5
b4226b490a1d93cf99c2c9cbc7c0dac2

SHA1
51cbf66243f36f833ac96bf0f80d0db8357d9d07

SHA256
643a6a83e0e87edc5296cd499d3dc4e562e02b32b5c510e311073bdf35521347

SHA512
49e5820f5c4c4dbd9ebd9e2096ec6f6929e62a04133eb3afd19c9843d0db638ee030f5e431dcbd4c8f984f1870a1108b7a3efdfa1ff8fd128a6fd7ae1d3c5a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0Y4DfNbjZAQ4PNg6NB5

Filesize
844KB

MD5
f795a689fae22d85a663a0cec6b04edd

SHA1
1cd30edbc43673d83f8879d13415e5fa95244c96

SHA256
630badf7ccac90bfc0a38d823154a816c1838d2f72b13f6486c89ac506be331c

SHA512
2b9c3e2a7faf490b468839e2f0fb5e1826b116d81b33a967725d74fd28354ec337d69fd70041fc1d36527849c6becdafbbe80054b8cc9c010a1874aa1695719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0Y4DfNbjZAQ4PNg6NB5

Filesize
844KB

MD5
f795a689fae22d85a663a0cec6b04edd

SHA1
1cd30edbc43673d83f8879d13415e5fa95244c96

SHA256
630badf7ccac90bfc0a38d823154a816c1838d2f72b13f6486c89ac506be331c

SHA512
2b9c3e2a7faf490b468839e2f0fb5e1826b116d81b33a967725d74fd28354ec337d69fd70041fc1d36527849c6becdafbbe80054b8cc9c010a1874aa1695719b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0Y4DfNbjZAQ4PNg6NB5.exe

Filesize
593KB

MD5
1f7b03f055cdfbfe54f6ae96e52119d6

SHA1
ed27df5ffb0c30fd2df1c0952b497cfd0bd868e5

SHA256
40bc7b7150e23880fd35ff98301d7d1a8fd28a047e07ec1b9d7c1680806828ee

SHA512
4a6391cc7f2ded06065f02baf4ae1cbd886e6c083122638872680501a75b0b0da62d517e5526d411c33fc6a568b91de8b01e297d8c88ed5e1673efa53401cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0Y4DfNbjZAQ4PNg6NB5.exe

Filesize
593KB

MD5
1f7b03f055cdfbfe54f6ae96e52119d6

SHA1
ed27df5ffb0c30fd2df1c0952b497cfd0bd868e5

SHA256
40bc7b7150e23880fd35ff98301d7d1a8fd28a047e07ec1b9d7c1680806828ee

SHA512
4a6391cc7f2ded06065f02baf4ae1cbd886e6c083122638872680501a75b0b0da62d517e5526d411c33fc6a568b91de8b01e297d8c88ed5e1673efa53401cebb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads