Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe
Resource
win10v2004-20240508-en
General
-
Target
ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe
-
Size
312KB
-
MD5
0ee9b41689676c79004980e3245cc5b8
-
SHA1
5731264114d4d589b7d927ac7fc0a75d7e7789fd
-
SHA256
ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472
-
SHA512
3265389ff1cc228ab0d819d526617dc29629ab388a645b406ccfea8c9fe567cd873012d4605cbc49c439d2f176f56866c649838049b23dd5460e297b03b487ea
-
SSDEEP
6144:HIbc0f7XP+g3AGJpWVzuQGRHeEgRK/fObT/bGiJKv6R7MkZ4lUr8W9HuOGKhvsM6:ow27/XvLWpuQUeEgRK/fObT/bGiJlMks
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mfzup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe -
Executes dropped EXE 1 IoCs
pid Process 884 mfzup.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /m" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /J" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /S" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /j" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /Y" ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /c" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /Q" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /V" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /X" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /u" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /l" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /q" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /F" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /Z" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /T" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /W" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /D" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /n" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /x" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /t" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /s" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /d" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /L" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /O" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /i" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /I" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /w" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /z" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /e" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /G" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /E" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /r" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /f" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /v" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /B" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /K" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /H" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /h" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /C" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /g" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /P" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /Y" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /k" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /N" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /R" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /p" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /A" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /y" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /U" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /a" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /o" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /M" mfzup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfzup = "C:\\Users\\Admin\\mfzup.exe /b" mfzup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe 884 mfzup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 884 mfzup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4444 wrote to memory of 884 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 90 PID 4444 wrote to memory of 884 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 90 PID 4444 wrote to memory of 884 4444 ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe"C:\Users\Admin\AppData\Local\Temp\ff85635cfd08235a16e0afa04cdaedaea88c5a815edc343c3d5299231e0e9472.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\mfzup.exe"C:\Users\Admin\mfzup.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5e944c458f293a42c4689ff20a0be568e
SHA1f681fd06f13b713e0363f2165ed67360e5dc3e41
SHA256455d79805b5826143a5475280b7b380206dd2db8ef1447a3464a5b741907721c
SHA512c5871ba66a749247b533262cb41bc2d8333408378577045956c2357a35cf7d382348025ca59c4bc9056070a25d0d47e7255b7c613687ffd9dc3fd671ad8e2b7b