b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Size

474KB
MD5

38d935266944c5f49d35c42ce150086a
SHA1

7bfad76c6b3844f2cea23ffc7bd4702fe737fe73
SHA256

b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f
SHA512

398927af28bcd3ad101481dd72c40aad7707b6963990e75e11d9c2ac8c57c71770e5a97aee4d0c2bcc6d7df6f12822a81746925e6fd1f561fe4581a52ec0f8c8
SSDEEP

6144:vdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqq:l8kxNhOZElO5kkWjhD4A

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2776	FTKJLPK.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FTKJLPK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\VAJ.EXE \"%1\" %*"	FTKJLPK.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FUSCV.EXE = "C:\\Program Files\\JMQSE.EXE"	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\Q:	FTKJLPK.EXE
File opened (read-only)	\??\Q:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\M:	FTKJLPK.EXE
File opened (read-only)	\??\O:	FTKJLPK.EXE
File opened (read-only)	\??\G:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\O:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\R:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\T:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\N:	FTKJLPK.EXE
File opened (read-only)	\??\R:	FTKJLPK.EXE
File opened (read-only)	\??\S:	FTKJLPK.EXE
File opened (read-only)	\??\V:	FTKJLPK.EXE
File opened (read-only)	\??\H:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\G:	FTKJLPK.EXE
File opened (read-only)	\??\L:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\H:	FTKJLPK.EXE
File opened (read-only)	\??\I:	FTKJLPK.EXE
File opened (read-only)	\??\J:	FTKJLPK.EXE
File opened (read-only)	\??\U:	FTKJLPK.EXE
File opened (read-only)	\??\K:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\U:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\V:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\E:	FTKJLPK.EXE
File opened (read-only)	\??\P:	FTKJLPK.EXE
File opened (read-only)	\??\J:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\M:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\P:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\S:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\K:	FTKJLPK.EXE
File opened (read-only)	\??\L:	FTKJLPK.EXE
File opened (read-only)	\??\T:	FTKJLPK.EXE
File opened (read-only)	\??\E:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File opened (read-only)	\??\I:	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\ODOI.EXE	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File created	C:\Program Files\JMQSE.EXE	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
File created	C:\Program Files\WLLN.EXE	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\FTKJLPK.EXE	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\PerfLogs\\OBD.EXE \"%1\""	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\PerfLogs\\FTHS.EXE \"%1\""	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\VAJ.EXE \"%1\" %*"	FTKJLPK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\$Recycle.Bin\\BBY.EXE %1"	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\$Recycle.Bin\\XKA.EXE %1"	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\WLLN.EXE %1"	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\ODOI.EXE \"%1\" %*"	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FTKJLPK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	FTKJLPK.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2776	1960	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe	28
PID 1960 wrote to memory of 2776	1960	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe	28
PID 1960 wrote to memory of 2776	1960	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe	28
PID 1960 wrote to memory of 2776	1960	b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe	28

C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
"C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\FTKJLPK.EXE
  C:\Windows\FTKJLPK.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\FTHS.EXE

Filesize
474KB

MD5
8590f1246b56a2dfce2c5af76d6a859b

SHA1
bf89273075bdc66339082f4047f94054026e029d

SHA256
efc3bf059b74570d658505e4bdb761cc2984c7d147e47c0c5880e4a2d557e3e8

SHA512
ae5d84d61af63878dac691ff993ff979ea2cc3d7aa16e068e34fbd492645d7fc1153fe719496b1ef3c34ee835ad63ec8f905886ce47309e5c31ca9cad75d8147

Download Submit
C:\Windows\FTKJLPK.EXE

Filesize
475KB

MD5
b36ccb73fbed11046af1a0c061f3f8e6

SHA1
2e50b0ee4cc89b1968ebe3df7091d74ab337a5f1

SHA256
28d698875ab968f1d667e2b7d223e340d847b27f373beabacf27db7e996c1f3b

SHA512
ef1e8dcec1d05d4981104c35c08761c11bab79eb6de75faac8a68f215b80af94f1c9d0e4ea271cf24e705ec0ede0787b06ce74b6e87e859817d2d41c49a062ad

Download Submit
C:\filedebug

Filesize
224B

MD5
dbb98258af2c77de023366b52446d1a7

SHA1
310e3525a362ff1c94ed1519bedb3d74111629dd

SHA256
5cbf349fad1cb508d75df861915535521f041c21680c9eb7409e785b0a92a75c

SHA512
e10fc030c331774f5361aeb9590c2cf21ee517550848c855b3fee41fc98afbce73e5a30ecfe8ca07234995327ba2fd8b5f699be9bd43b60ae7c455ecb38b6cc2

Download Submit
\??\c:\filedebug

Filesize
245B

MD5
75e8700a4e7641311286c520dd9d1b33

SHA1
00d1d9550f8b6f79a8675920f07f5327a7f69217

SHA256
42bff9556b7375e763e72e6500f5696c5b1430a120a30ab89b62d79b8a85761b

SHA512
419c8f0ac6e0b47baeb99fade1357bf29ebb8d0b5c9b0027fa99b9fe5d667f4a513bfc109412856dff814621f4d005635a9d4a61119fe234b3de5baf45e37974

Download Submit
memory/1960-24-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1960-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2776-33-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-36-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-31-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-32-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2776-25-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2776-34-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-35-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-26-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-37-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-38-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-39-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-40-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-42-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-43-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2776-44-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads