Overview

overview

10

Static

static

10

Femmeware_v0_1_1.exe

windows7-x64

7

Femmeware_v0_1_1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    59s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Femmeware_v0_1_1.exe

  • Size

    512.2MB

  • MD5

    5fb86988f1c72558edcda6ba673ad4a0

  • SHA1

    1e0bcff62d7aae5890195d37188cff24dc00980c

  • SHA256

    a4333d3ae7dc446f6f55f8d990092e2699d466314e90668041b8216da60254dc

  • SHA512

    abcdabd1ffb2a31066334d05360295525393b57fe0725596539d7bb39e1169e4419c2292ea2ecbdd605b967fad93791226d739c5125f21dac11fa21bf52a706b

  • SSDEEP

    12582912:Fbz4DBfU4BRU5MfKxxwK0mi1bg5ZMB7WKEbq:Fbz4DBfU4nU5MSnV0mia5yB7FEq

Score
8/10
persistenceransomware

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 30 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 31 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Femmeware_v0_1_1.exe
    "C:\Users\Admin\AppData\Local\Temp\Femmeware_v0_1_1.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3828
    • C:\Windows\SysWOW64\explorer.exe
      "explorer.exe"
      2⤵
        PID:2692
      • C:\Windows\SysWOW64\shutdown.exe
        "C:\Windows\System32\shutdown.exe" /l /f
        2⤵
          PID:3100
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3308
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
        1⤵
          PID:3244
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3949055 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4008
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4292

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          2
          T1547.001

          Defense Evasion

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          4
          T1082

          Peripheral Device Discovery

          2
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Defacement

          1
          T1491

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\Accessibility.dll
            Filesize

            20KB

            MD5

            8498a2fa7558a261516d420216061dde

            SHA1

            465f06996cc2490b288a82f1ee4573883be4cdc7

            SHA256

            4588d9cf84c328f30d1ee5426449cb5d329570c32896637f7c8477082b821cbc

            SHA512

            dd1cadf1eefae44d18eb744d0f1e966b93e591824364f48a2f4f883b0b52a01fb2cd7ed388fb9ac9e00985517d4b0899bb72dd2c65005c02ea8335d6c1ae13f1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\Femmeware.dll
            Filesize

            105.5MB

            MD5

            fe941edf0ce37a1329b402a969620027

            SHA1

            ecea7bf898eb3d3aea540605775e55e4622a40fc

            SHA256

            42765fdc07bcb5c5aaeedcfcc53c50225508beb984610da06d266f5d25339df4

            SHA512

            539f899d468ae3e2027e1ebce2e0decd6e69ac2512540ede6429253dabd51d53f2497bee6335fc5632df4c80451b2fc770241db4790f0f79fbfb9dce885e70b4

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\Microsoft.Win32.Primitives.dll
            Filesize

            15KB

            MD5

            e8e7f8a5fa85e6d0c0c5852f196c4335

            SHA1

            2d4c331299a4dfa78f32ac42e04e179ed371e91d

            SHA256

            9e19d7d3973956aac57fad7417973f8713c2e1710d8a3742a5b9f2c531b306b5

            SHA512

            b1fb020158db90dd97eb71554d649273b75400cf82d65957e6253cbb1bf3ed7407cc6625f61646cd9214b305c28407402341dcf377d0eb9dcfeeb1e3451a8ce4

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\Microsoft.Win32.Registry.dll
            Filesize

            102KB

            MD5

            0b09420b48c1ae6702e7a1c09a4d1bec

            SHA1

            3d49792ba3790e133976c46a17cf585bb89fca27

            SHA256

            645a7deda4ea928ac7ac79dde338880d13e5c897c6b58e37f1664c92735b1514

            SHA512

            3108caf6548becd1b10dc0add19e05a0cc4eb61fa93361d57407b758056cf32bedfc90de48786d7646537c6c59af0cc71cf8ee9fce94a6595dcaeff70c4b1255

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Collections.Specialized.dll
            Filesize

            90KB

            MD5

            854231244235cf256e789c5560335013

            SHA1

            00a79b5be5b7c3dc36b15a0144a659a8292f44ae

            SHA256

            9e8a99c9f6ee84c498dd77a32d0965545662af87b4f9bf9b9ff2c3ad2864453f

            SHA512

            b5b40d47fb4c0668b1489ee61312708e6d5044c01235386b8b43fb3e2908ec738c7aec88215fc0f5dc4e26ca3ee525b59c3bed0603c86f04188304bac8667c0e

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Collections.dll
            Filesize

            234KB

            MD5

            e6f0e8fa27c6009c9615fa618a4c0b74

            SHA1

            6c6e1949b59e671b09690b0c1f1ab009cdb7a0db

            SHA256

            06147b30dd0172b55c39a7bcbaf8361f6762ff0f872357979fdcdf19cbabedb6

            SHA512

            d9e7e2ce75d8eade0d7ab0e734a1e6c2485c5df0e77722653f1add2ad91342a9979c6390a8e481b55d7f246366cd9674c460d29be8f672c6cd3c9c04e37dca15

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.ComponentModel.EventBasedAsync.dll
            Filesize

            46KB

            MD5

            3afbb33963067028e65b8c2eb929451b

            SHA1

            219670b79f1c36082f0d570a7b92a9b4e524627f

            SHA256

            73bc7e24b4128d55da127849373c01a09639c3f8ea864c55ba8fc61312cf8c40

            SHA512

            d7a8388212f51c7abb5259865e7af18d9ed37d770f6cbba58d6ef6c75e608d811b48afa538b8bd87a336a5b8d5d35db107553923f1bc7e95f48ad0f54d9b15eb

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.ComponentModel.Primitives.dll
            Filesize

            74KB

            MD5

            9c755625f54790393dc292c4739aa30c

            SHA1

            023a2626d9a805b2128a6f6eb40923d69c0d56f1

            SHA256

            6a4ee989c5b2a552521fb81ac5591561a60051f343f1412286f738a7cae93a17

            SHA512

            f115cd8ce681c5f359fab12779c8111b8510d0da35a4a07173f520f2e8ad8eff9096fa993c2d8d926775b3a94c05bf6f7f1c61389c8117ac097a29b70fd81e11

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Console.dll
            Filesize

            154KB

            MD5

            e6935dbfc128085aa10106f455ae988d

            SHA1

            8dc899b9df7d953bd318deda1613cff5654d368d

            SHA256

            db9491f6d7815e5eee9977e190524469f5505fc215259fd95bb9fd8c86e807d0

            SHA512

            af29877d6b47525bcdc606d0fc455381fb454874b6855dc4abffc218291c288d94870aacd1e7f34dcb9569229e189db379f1ab05c7e6f4618fbfd62fad3c8b53

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Diagnostics.Process.dll
            Filesize

            290KB

            MD5

            6005c9f9e04a9f4a7c9176a76b9899db

            SHA1

            d6222a7a951444fcbfb38c9640333fbd07574e0f

            SHA256

            08a0b5eba03418806475a09457d61bb8fe0d78673b0c2d6ae092db69660634aa

            SHA512

            5fbeedba13f3e3efd9613b397be9e52dac63385d2d0043c8761b5921a96b6ba1631dc6d0fd05f8de9bbe8cf597ff9857d2322a2bc7fbf36f8fad135a20491fc8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Diagnostics.TraceSource.dll
            Filesize

            126KB

            MD5

            927d95dc91c13c634d6e37b0282bf82c

            SHA1

            d6b931de6b4569f0726bee3c80f8636b83bfa3e8

            SHA256

            17fd380232adb5f2da9e511fb2e6b048f6c645e6bf62e794cdb01326b6a5d155

            SHA512

            256f6e42e1bb924a9d76006986a8bdb93e1f4edb7b9c20a0d32834fc7016bb247fd0fe94e55c387a7d2a7480bf53d833a41d75afdb14fd345bdfdab9aa7cbbb7

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Drawing.Common.dll
            Filesize

            1.3MB

            MD5

            63ded0da102305a3a3a1632232735d91

            SHA1

            94cef4f73859ec3196d7f970d99034bcc4c0fe0c

            SHA256

            31a064f49592fd3766f3636c86ddd940d9c070d4730499345167e5c826d96f92

            SHA512

            e8431f5bdcc1cf274bf3ddc189cfb14be47f3fc0a1527a07aa4a4b6c1e6c1bc4555341fd858d18642d5763884b2dc31121ed013c59e7d49d07b1dda7d2c9422d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Drawing.Primitives.dll
            Filesize

            126KB

            MD5

            a583ab761481a5755a7aec0908167876

            SHA1

            99da30479ad4775c2d2ca51cdfb3ca244bb82548

            SHA256

            a8c21d966a1f6cc26cac55e305c069b418e472abd9f206686162742f5d82f550

            SHA512

            373bae77fac8d53dc856e8e7c1f1d2b1187fe86fe9dbfbe735e393961b6b66e3276fc2f8c8ff3e2a39f74c01c5ff780c5b6529e47c15d94f4ee35eebe71313bf

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Memory.dll
            Filesize

            142KB

            MD5

            1014375f7997520b3648df461feed6c6

            SHA1

            7e244377cc46cf1180a46182d951f25f411d32a2

            SHA256

            f5a551228ea9c0d5c14a706cce142c79dd29b9f3cfeeaa7cf2b808d43c3e329c

            SHA512

            032dacd767621076a1bc63eae36648ccd622509b20dd799e0fbae1de60d5a512c0cdd12ac26d0c0ff9217f6122725d505dbd282f06dfcd7315ef5fc5fc17b972

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Private.CoreLib.dll
            Filesize

            11.9MB

            MD5

            fc5dbcad46ab19b62d5755293cda2a4c

            SHA1

            db19c149f561775ed353bc2cf3dbbfb3c3f23566

            SHA256

            41facef80f527a263e3180ec5b4483a0cb9f94b4e85b50237c07509508a35996

            SHA512

            49bd844ea477108b96515c9d01a3fd845df0aac3d35bdfcc4cdaca0b14fb9fe33dbd02624352aff9f21bece7d28302484497ac25150c2650fdea132651824caf

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Runtime.InteropServices.dll
            Filesize

            86KB

            MD5

            2de526e298c8ae1f2fe8d912396f7dab

            SHA1

            23d3a3e70695880e8699ae52c8708f9fad27c04f

            SHA256

            f36923a2f3bec300a80d1301b00cc2f763e27c86fd86f56f4545cbf607298ed2

            SHA512

            46719c444dc201e08dbdcf85cb0123cc6f06256d2e254ab85cfd53ff56450fc367186117d6fcc86711984b8c9934d38b86d5464fccf27724b5c73d80ddc7d33f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Runtime.dll
            Filesize

            42KB

            MD5

            52b14397705282eb85aae70f7634e8cb

            SHA1

            f422bcd8f4df69ddcae947affab02bd07ca22057

            SHA256

            d9f6d328966b88e463f978ce05ae5794693560365d91e9c5d30a9722e0946e75

            SHA512

            6b2c8b8a9b9dfbfbe93e05e0246c3b61b8dc064188246114210c7a7b7c9cfa0bbc8d87d67da886549aa34041a37c2a5bd561e56df0d1c6489c0c3449e8044136

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Security.Cryptography.dll
            Filesize

            1.7MB

            MD5

            2aab48a221a2d3d0dbbd3a5b636db2e3

            SHA1

            69ccf197a1d45e4d7d2621b8fb3b3355d7a5d927

            SHA256

            e2bf84a50e27bf261d642878e5c4ea30321d5278f35805d4b94d678ebd27d7d0

            SHA512

            8607435a7efb74dca16827a11e996cdb425693d6202790bdc9dd98159416c1e8e1123784a854acab796c5aa416b8d8507312d4111fbaa3a68e38e9b493418ff5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Text.Encoding.Extensions.dll
            Filesize

            15KB

            MD5

            7356a0c3d4dbf74ab54f86da4ec30085

            SHA1

            57293a4ff7f6777c1869809673ad20627339ff3c

            SHA256

            a953fae1a01e95bcaca3ee19d861efeaed3d06699df22ab337df885b72c2c73f

            SHA512

            1ecb3df1a32f2500a59dd46e5461fc5215f062103b616265c6e1716ea263079032815e2625da6122663d0d283a6c1799c2502fc24dea83931976a020e389f61d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Threading.Thread.dll
            Filesize

            15KB

            MD5

            adf197c1c2c2a9f6786ba6efb1f1d330

            SHA1

            5f637c51a9daf23879fe35b81d9e06c30722a1c4

            SHA256

            8e54893d738541b6dca1693100b1b5dddeee877c92630b69110b0f29423f1b41

            SHA512

            3aeca1ea70aad0e1c8a884453360c1f434861c6dc9cbfbc291e707d47db1eb7987292ba19b3dba344b5ed7a23e620f2cf4beda40d00c68be473c63bcb4a81113

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Threading.dll
            Filesize

            78KB

            MD5

            a0a2c4c0811d6b133ccfbc1fc48e6ae0

            SHA1

            00dcae3cea2de5d02b60a68b81d669beb98d09eb

            SHA256

            c72cb9bc7b9dd33b200d797dcb2f313c5ea44ee7efa4133db98e90d203de6712

            SHA512

            ff979320679525f7fe88be659c62077b3660d267adf971f7dee226a1074e61ca2d7d198c77719581214ff0deb3565de60db4eb39f0a4e1e89271a4a50117e1a8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Windows.Extensions.dll
            Filesize

            110KB

            MD5

            7400305dfbe589c6b8619eeee0a4c8e8

            SHA1

            31feedb6b15ec75159d3ae4b8d4d4bbf255e4342

            SHA256

            520ae0f47b235a8e64505fd8c9a50a8ae4a79ab0976c999ff215ca355150ab1f

            SHA512

            c9c05c9e95bf4580df3ac6c57775874d2e06117c2a05364df6be50925fa4a0a051af0b694387e21a966fffa08acb14d86d77344d55a844f4affdbeb64fd48162

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Windows.Forms.Primitives.dll
            Filesize

            2.6MB

            MD5

            186a2c6767696a074070c6533361eee7

            SHA1

            b85137a147ffdf612c3d10bf01c2cb84853d9a21

            SHA256

            cb555ac250bb38e7fbe6d10adb1d8a5456c90a4ee10703ab1e648d76d96297fc

            SHA512

            d2ff60818c6f32396eca71c2e5a4911adb93e1e34cece05c4d86fcd6e3622dec3ebca4b557912621b950ccff2fa352dfc8c5d00a6d57e1b3df7314cde2ca9c4a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\.net\Femmeware_v0_1_1\Y9l92IhArCaUGkCbUH4mDgrJ3g5MY3I=\System.Windows.Forms.dll
            Filesize

            12.2MB

            MD5

            357d2b02eabfb9a724cd31613b99239e

            SHA1

            03aa1e1ee50f7e9c760805ac5af8a5d9d5ba82ae

            SHA256

            aa602eb68737edf952a7f2e4232b3e08789c81389510f1b7e072fa7816e0decf

            SHA512

            e6a655b868a3339ffd73cfa0b9544580034302cad217ee548571e94fad64c96aaf5b1b351174d95ca5ef38d4540206c3d129007d924003536d9ad97ebe9079bf

            Download Submit