b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

Analysis

max time kernel
0s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 07:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FFA.exe
Size

652KB
MD5

7589fe75123045e6f30eab511e55bc3a
SHA1

34e473bb2385e923feccb4aa5375a56924893a31
SHA256

747f15512f3b04420d0bc2264192fb1f8a4cdf81993afb191ae835d86b650cd8
SHA512

fba1f53b6c2e8954e906ba2343e2b1a9f0f88ae69df0eab567af3ece4bc93d6b5291cc55e0aaf2b3d7e7d4e5457ac95eaacbd027425e3fff9df467e28627adcf
SSDEEP

12288:sRvnERMs3azRIMbcr6ZwchpZJmdhBPrx4PkAd5EBgv5gBjl:s5nm3fe5bMprx4c05EBgxgb

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1548	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	FFA.exe

Executes dropped EXE 2 IoCs

pid	Process
3972	gabberoneshay.exe
736	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	gabberoneshay.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3972	1748	FFA.exe	29
PID 1748 wrote to memory of 3972	1748	FFA.exe	29
PID 1748 wrote to memory of 3972	1748	FFA.exe	29
PID 1748 wrote to memory of 736	1748	FFA.exe	28
PID 1748 wrote to memory of 736	1748	FFA.exe	28
PID 1748 wrote to memory of 736	1748	FFA.exe	28

C:\Users\Admin\AppData\Local\Temp\FFA.exe
"C:\Users\Admin\AppData\Local\Temp\FFA.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe
  "C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3972
- - C:\Users\Admin\AppData\Roaming\spoolsv.exe
    /d C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe

Filesize
68KB

MD5
08dff461780f398b24c1cf2e05cca282

SHA1
e25ab2aef86e8f04a999c558885c04695195fd7c

SHA256
542b205ce9d2521234751f85e0069f63102386dedacd8e008811862be6dba90c

SHA512
4a8f38eb7347d24dd2a7ab2e975151325d668aa4a3562738f81617c9bfc13e6ba3b514fd4644448f2cdc92abe098499558249fb5a9a88f0673341d001aee663a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe

Filesize
47KB

MD5
271e737e14afa557a2bfd66400456360

SHA1
3b0c96ed2baeec8cbd16246882f62b5f24a940c2

SHA256
78b8f7fb6255586c71fffad468840d5c6d65f3ece7b78818dcdf942c6b69f53b

SHA512
f0f389c72bc356200fbe42d213a0aff6c58af400c0286caab1e88b54505be945e823dd457de366d2e642c229837c7b522a6dd5f3063c642f26ec6df22b96d4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gabberoneshay.exe

Filesize
51KB

MD5
a1053244845e2ddb37cb70fd73e0aaf4

SHA1
ef8a2df5b425d06305b0a3bd9688502c98225d3f

SHA256
514748b7ddd43595ed5b55727bb1d4eb1f51930c602a81b5df2e602c4f4e577d

SHA512
d910a9466855c6b8fc7ece58712ffa695718de99761421fb9768613037cf665fccbb02b1fb1ca08c654883a583e57cb21248dccb05caae0028b0aac497c4b818

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
31KB

MD5
f630e1933e6d7c5e40cd7f2deb32119c

SHA1
ed19cf8905f3fccfd0f0bf4caea421efd6555413

SHA256
6399a56d336a4749a47b92655025b4de4860efa232ea3d70c51a6a8ff96c8fe9

SHA512
e4a543cc0393fb60553259a11980062b9561beb19c893e9664b574a453c54f4ca246cd62a78c49676ff984197262a808f15cddb7212e9a7c38fefcfeaa805e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
57KB

MD5
f50d42d0a24c166e0fbcd5386b20ab61

SHA1
3ca2af5d8aa863d3dd83fba92bd5f8d42a0427ec

SHA256
78c0759d27399c5f4d1b646a3dc6827f32c6945171877e273c211eb4b7493b4f

SHA512
88e4643673d8d51ac6804e1792ae130b4cd9ff94bd65008a0182e68fb72924d455d22c83ca508801d3fdfe5a7465426b6623cb01f71dc2d54ed8a1d8510a7760

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
19KB

MD5
903521a64fd0fb65aa933901fec12f2d

SHA1
b0affc70b17e31cc34ce5fda1a3ce0bfdee2f058

SHA256
5daf035e2d6d3b62c1d68624612c9383272fd4a3363c6462ae9440ec06cb22ba

SHA512
f85e9cd035d61b6deb39de079103da405bda141a6c4cf6b8b2b6afb053df317dfed77dac6e9296d7369ee4d56fc3e4db0e77714cc8c7ca80d75ccd6ff2f684ce

Download Submit
C:\Users\Admin\AppData\Roaming\mmvFMROV

Filesize
39KB

MD5
560d988d6371a692d48670a652b16f10

SHA1
7ad5c1f0f05ef1ba8291b0554e776a066015ef3d

SHA256
25a6cde14ee6a6dd49c41b246b6de26c70ef82109b421bdbca8661af308e0b7a

SHA512
78352c128e8f78b2e566062f8e3e73e27e606d0a5a301264c42b59d6b9a3b2856e927d74ed3a9ba57e6fef72376db10159dc00e76b102a8cf7e72292b4070729

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
89KB

MD5
0e0a28d69ce5ab108a1b6944fd57d773

SHA1
5dc867c7016582ebc2c1a12472b0fca3f2d1b2d4

SHA256
5592a1aaf424c829b42f869d1302ec485bfe4e8e27663c54c82d04ccf7eacc9b

SHA512
810da7630b7d1154b2703723c0df1ff32b6e2f224d8752090db2481ad2058f18e705b93a91f20a89cc5444012cc51367369fd506808f4caeb56b1173b6911dc1

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
128KB

MD5
9565b3b763601164d276ec2011c90b38

SHA1
6b9428b9874657d199c83b497411035f4943495d

SHA256
671f261902715279b9e3143c01d5e5c73fd32ba9366d648992144d6d3c5439c4

SHA512
bb7d24ca4643ba3ab9a0ac646f4ea35a5f7ee8ae417bdd9c7ca3620c3c7a22e97399b87b245bee1a616fcab8d411231a14b7d1b38c7fde3513a6fd0504aeecb9

Download Submit
memory/1748-0-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/1748-1-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/1748-27-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/1748-2-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads