ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991

General

Target

ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe
Size

96KB
MD5

36412e480cfee73b256af719faccfa93
SHA1

c6c44ae4599b6ff8522223c8225235ac0fd3c574
SHA256

ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991
SHA512

b4f738e65940a10a233acfaf11a90c9efd8f3c771ec0b01861246dda7d85d611800e543a7b7fb3f236c1020ef959cdd136069cd7590fb4b9fa42e32b6a18bce0
SSDEEP

1536:QSBH+gzWwmhLmncdkadGVScGYJXeiyCnO+TI4K4I4i404R4Z1VcvsJOpPpMm4/Ny:DHfW6cOadGRJuH7ut/Tdvd+hXV/vU3vV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

feamao.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	feamao.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe

Executes dropped EXE 1 IoCs

Processes:

feamao.exe

pid process

3116 feamao.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

feamao.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /f"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /x"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /y"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /t"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /A"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /l"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /T"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /q"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /p"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /a"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /k"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /O"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /R"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /W"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /D"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /h"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /e"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /Q"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /S"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /m"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /N"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /L"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /z"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /J"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /V"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /B"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /u"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /b"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /I"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /c"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /Z"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /v"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /K"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /X"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /C"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /d"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /w"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /o"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /H"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /r"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /M"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /s"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /n"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /g"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /G"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /F"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /U"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /P"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /i"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /Y"	feamao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feamao = "C:\\Users\\Admin\\feamao.exe /E"	feamao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

feamao.exe

pid	process
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe
3116	feamao.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exefeamao.exe

pid process

4832 ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe
3116 feamao.exe

pid	process
4832	ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe
3116	feamao.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe

description	pid	process	target process
PID 4832 wrote to memory of 3116	4832	ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe	feamao.exe
PID 4832 wrote to memory of 3116	4832	ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe	feamao.exe
PID 4832 wrote to memory of 3116	4832	ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe	feamao.exe

C:\Users\Admin\AppData\Local\Temp\ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe
"C:\Users\Admin\AppData\Local\Temp\ddf521f481f58ad13f049d1d56a6c6790dcad66ebef0543eac70ebc51166d991.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\feamao.exe
"C:\Users\Admin\feamao.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\feamao.exe
Filesize
96KB

MD5
5c3f917e28a2d7bfb95c60dd3796789b

SHA1
39ff91d988f28c0cb1ea042b36eb6c8f0ca75421

SHA256
a8fbf86d33acb67c98e57bc52c76093d93c20e9babc2fa3a927589ab5996386f

SHA512
216892ba68f84e7b3d2fbb763d3e85156d65b3032f4d90c8e7a92020aa892436f6a0ba4c5e688625650ddbb920a42bd38a42666c93c153b6a152526352c70e0d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads