b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c

General

Target

b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
Size

53KB
MD5

92c0dfd302e7682f2e0f5f0bae622523
SHA1

a051b6eb1cb99c4830f7c0058d13aafaa9cae387
SHA256

b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c
SHA512

a81ba138213214c2fe4d4938580795045ded4e0a61363cf2ade6d2b68d24960f5add88cf40da9aa61720aac4ef14bdf00b78ef3f1692a66c30bdbb32138f81d2
SSDEEP

1536:vNVg8r8QgMaoz7Kp3StjEMjmLM3ztDJWZsXy4JzxPMU:MMaozJJjmLM3zRJWZsXy4J9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

fksoit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fksoit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe

Executes dropped EXE 1 IoCs

Processes:

fksoit.exe

pid process

2072 fksoit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fksoit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fksoit = "C:\\Users\\Admin\\fksoit.exe"	fksoit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fksoit.exe

pid	process
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe
2072	fksoit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exefksoit.exe

pid process

2956 b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
2072 fksoit.exe

pid	process
2956	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
2072	fksoit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exefksoit.exe

description	pid	process	target process
PID 2956 wrote to memory of 2072	2956	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe	fksoit.exe
PID 2956 wrote to memory of 2072	2956	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe	fksoit.exe
PID 2956 wrote to memory of 2072	2956	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe	fksoit.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
PID 2072 wrote to memory of 2956	2072	fksoit.exe	b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe

C:\Users\Admin\AppData\Local\Temp\b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe
"C:\Users\Admin\AppData\Local\Temp\b57261e6e2abda72c802ebefdcf63fa19c02c976d92b8d641c7f69e57210337c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\fksoit.exe
"C:\Users\Admin\fksoit.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fksoit.exe
Filesize
53KB

MD5
d8d137b65ee6fa3d37b87a416af4fa18

SHA1
fa772afaac9b9c9e21a53e82aacc2f404f23f741

SHA256
8d289efddb19ae342bff9d2bc04114479002caee8674a602e65f6da8e5792497

SHA512
4b959bbbd00d020e3e95b5c8aa642a3b9656e5ea85b90309075255a35758f48d9aacb8b652b8508e6ca4b69c0fbc3dc07db7709a5df852c455882b25c5c6cc15

Download Submit
memory/2072-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads