Overview

overview

7

Static

static

3

freevbckфффs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 20:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    freevbckфффs.exe

  • Size

    845KB

  • MD5

    0032a44ea5ab15f9d8b1509a01b28acb

  • SHA1

    7016f5f60c90c9d04d8b46310a02993d331687aa

  • SHA256

    24f62ac03f36d55d90ad268265e2d969bf9e5915f1928968140f3f4c43a8c4a8

  • SHA512

    32643b12c89eb69421c90fef10e32b3032fa73b932222e1a17515491e5617459e5639ddd95b9dc5512b0328ed8720c2f40a6fb028bbf17a68836f0b4aadc3bd6

  • SSDEEP

    24576:qsS04YNEMuExDiU6E5R9s8xY/2l/d+1Ibt+ro:qE4auS+UjfU2T+1Ibt+r

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\freevbckфффs.exe
    "C:\Users\Admin\AppData\Local\Temp\freevbckфффs.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{08a45fa7-1f44-4f64-9e78-de9682d57756}.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1624
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo j "
          4⤵
            PID:4184
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe""
            4⤵
              PID:1700
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo j "
              4⤵
                PID:2324
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{08a45fa7-1f44-4f64-9e78-de9682d57756}.bat"
                4⤵
                  PID:3152

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\{08a45fa7-1f44-4f64-9e78-de9682d57756}.bat
                  Filesize

                  202B

                  MD5

                  b9992c598e151e1445278b45789d3d37

                  SHA1

                  0c9fbca7fde9a5421c687d1884d7742ecd949268

                  SHA256

                  13ba12b858f01b97e4b98e1794282eb6a9640c79a1d3428f6a4a3fd00afc8cb5

                  SHA512

                  5f39dbc4efbf574ccd1cb257b06ce29bf13b5e9dded4108cbad1618849bec7fb2400119b04df6eab60b45af925d1af1498cf9d6d0a6bde89f9aa131a6ecb335f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
                  Filesize

                  845KB

                  MD5

                  0032a44ea5ab15f9d8b1509a01b28acb

                  SHA1

                  7016f5f60c90c9d04d8b46310a02993d331687aa

                  SHA256

                  24f62ac03f36d55d90ad268265e2d969bf9e5915f1928968140f3f4c43a8c4a8

                  SHA512

                  32643b12c89eb69421c90fef10e32b3032fa73b932222e1a17515491e5617459e5639ddd95b9dc5512b0328ed8720c2f40a6fb028bbf17a68836f0b4aadc3bd6

                  Download Submit

                • memory/1028-18-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1028-19-0x0000000001170000-0x0000000001180000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1028-21-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1028-22-0x0000000001170000-0x0000000001180000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1028-27-0x0000000001170000-0x0000000001180000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1028-28-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4920-0-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4920-1-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/4920-2-0x00000000016E0000-0x00000000016F0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4920-20-0x0000000074F80000-0x0000000075531000-memory.dmp

                  Filesize

                  5.7MB

                  Download