18c68757b5dfca97f62bacb19d36c520fef884674ec009f12174ce2e17bc8583

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 22:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

qqfcksjqfz/久久FC.exe
Size

1.5MB
MD5

35b2493e58bc1795d07f58a3809e6882
SHA1

d13c05b2b61f9d6ebdc1585a6f9c331f581c9a0b
SHA256

54146055afc73bf9dc08a859c5781d7f635d7147d77c34bdc13c1294c11c8331
SHA512

0fd12b33adcf3fd046b16edfafc4a189d9a532773c4a3eba766c8dcbb0753b75cac6985991b308706bbf65244777a29c97d3ed75637d6107b09e6b342c90cc72
SSDEEP

24576:xuBC20ODvyYXdJoT0BbcX1sMLMPCMGAyBkQ4AYtHNMLbTvG:xl20dDoB4FNoPCMkBbSNMLnO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	久久FC.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	UCBU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\UCBU.exe	久久FC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1588	久久FC.exe
1588	久久FC.exe
1588	久久FC.exe
1588	久久FC.exe
1588	久久FC.exe
1768	UCBU.exe
1768	UCBU.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1768	1588	久久FC.exe	91
PID 1588 wrote to memory of 1768	1588	久久FC.exe	91
PID 1588 wrote to memory of 1768	1588	久久FC.exe	91

C:\Users\Admin\AppData\Local\Temp\qqfcksjqfz\久久FC.exe
"C:\Users\Admin\AppData\Local\Temp\qqfcksjqfz\久久FC.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\UCBU.exe
  "C:\Windows\UCBU.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UCBU.exe

Filesize
708KB

MD5
31a224b1a170bbfb41fd08559261375a

SHA1
81dd08a359a238183e4664291d0ba69bf7b6e3e3

SHA256
344066e5f9c2ece28e4f5dae525f23510bb6bd409c65cb4cfff51563e959f4c4

SHA512
710a3391047b9c37985828ccf20b2d394e4ea9d0411b3c56f78e2fb68f95b15368e0f6a96ca9e18fa80b0052267b44649575e024508ee0f2619da7ccf7a34ba7

Download Submit