Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-02-2024 17:06
Behavioral task
behavioral1
Sample
FECWXQ.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
FECWXQ.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
FECWXQ.exe
-
Size
491KB
-
MD5
96e4d8e02c5ec01ac83d3d84e5a61e18
-
SHA1
8a259428650ef3400d6500858970d22b5d69c3ae
-
SHA256
36d32fbafc5c9974d098c9cc6c1b728b0472318539333d4326362017e02acd2f
-
SHA512
c3bdf743517a96a748a93a7581266a26545d51006880669bb1fff14d3ff6716e24d05a44fda5e52d91d3b247343755fe7aff1084245edc3535ab090e17f6f855
-
SSDEEP
12288:I6Wq4aaE6KwyF5L0Y2D1PqLQ7a289KvvYY83ltl9:ethEVaPqLgZgKvvYFp
Score
9/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 15 IoCs
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-174-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-190-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-200-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-212-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-222-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-231-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-242-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-254-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-264-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-274-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-283-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-295-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-305-0x0000000000400000-0x00000000004CA000-memory.dmp UPX behavioral1/memory/2236-315-0x0000000000400000-0x00000000004CA000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-174-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-190-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-200-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-212-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-222-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-231-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-242-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-254-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-264-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-274-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-283-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-295-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-305-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2236-315-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: FECWXQ.exe File opened (read-only) \??\a: FECWXQ.exe File opened (read-only) \??\g: FECWXQ.exe File opened (read-only) \??\l: FECWXQ.exe File opened (read-only) \??\o: FECWXQ.exe File opened (read-only) \??\p: FECWXQ.exe File opened (read-only) \??\u: FECWXQ.exe File opened (read-only) \??\v: FECWXQ.exe File opened (read-only) \??\k: FECWXQ.exe File opened (read-only) \??\m: FECWXQ.exe File opened (read-only) \??\x: FECWXQ.exe File opened (read-only) \??\y: FECWXQ.exe File opened (read-only) \??\b: FECWXQ.exe File opened (read-only) \??\h: FECWXQ.exe File opened (read-only) \??\i: FECWXQ.exe File opened (read-only) \??\n: FECWXQ.exe File opened (read-only) \??\q: FECWXQ.exe File opened (read-only) \??\r: FECWXQ.exe File opened (read-only) \??\w: FECWXQ.exe File opened (read-only) \??\e: FECWXQ.exe File opened (read-only) \??\j: FECWXQ.exe File opened (read-only) \??\s: FECWXQ.exe File opened (read-only) \??\t: FECWXQ.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2236-174-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-190-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-200-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-212-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-222-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-231-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-242-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-254-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-264-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-274-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-283-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-295-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-305-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral1/memory/2236-315-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" FECWXQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop FECWXQ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe 2236 FECWXQ.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD579a0bc1ee402128889dc1c5af3114ed8
SHA1fb2e5351dc7805a3d83b3488cb7df8a55b492600
SHA25644ecd03f03f5ce08bf53cf3017604e14370cc59257a0ae98dd051a798bdb7cac
SHA512bd91ddd72b591ad844183fd4163fd23916396e289cdeef01f74c5e0c89752ed12fac824498206721a475fcbc40570ad95dbc798aa6b5eb717f314614d11d52b3
-
Filesize
8B
MD5de6fdff1993c731e52e49d52a6e684d9
SHA1120d1ff8a24109eed24ac1a5697383d50bcc0f47
SHA256645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42
SHA51299d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1
