2937de2eb7763851d644e637cb7d7375fd69b218beeaceedc46254ac388203c7

General

Target

fdm_x64_setup.exe
Size

38.5MB
MD5

dded481da831784a00d556a1280c124c
SHA1

48b40f82f66dd678f1c2f4c1298eaae2875f75e6
SHA256

2937de2eb7763851d644e637cb7d7375fd69b218beeaceedc46254ac388203c7
SHA512

78dd1b42e918e9670edaaecd1765fb26e349ab7a5bc7b4dc3b85bd387f073a8ac0a4abc6b8a50d5b3cc6cce753cc8745b26bd47b42953723b21b949e7956cbcd
SSDEEP

786432:jketduUzNdogfpTmDvwLIDH8StVQFkatYPexssk:jkiuUtpTmDvwE78+IHUe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fdm_x64_setup.tmp

pid process

2800 fdm_x64_setup.tmp
Loads dropped DLL 1 IoCs

Processes:

fdm_x64_setup.exe

pid process

2724 fdm_x64_setup.exe

pid	process
2800	fdm_x64_setup.tmp

pid	process
2724	fdm_x64_setup.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fdm_x64_setup.exefdm_x64_setup.tmpcsrss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdm_x64_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdm_x64_setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LogonUI.exe

description pid process

Token: SeShutdownPrivilege 548 LogonUI.exe
Token: SeShutdownPrivilege 548 LogonUI.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fdm_x64_setup.tmp

pid process

2800 fdm_x64_setup.tmp
2800 fdm_x64_setup.tmp

description	pid	process
Token: SeShutdownPrivilege	548	LogonUI.exe
Token: SeShutdownPrivilege	548	LogonUI.exe

pid	process
2800	fdm_x64_setup.tmp
2800	fdm_x64_setup.tmp

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fdm_x64_setup.execmd.execsrss.exewinlogon.exe

description	pid	process	target process
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2724 wrote to memory of 2800	2724	fdm_x64_setup.exe	fdm_x64_setup.tmp
PID 2748 wrote to memory of 2568	2748	cmd.exe	logoff.exe
PID 2748 wrote to memory of 2568	2748	cmd.exe	logoff.exe
PID 2748 wrote to memory of 2568	2748	cmd.exe	logoff.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 2972 wrote to memory of 548	2972	winlogon.exe	LogonUI.exe
PID 2972 wrote to memory of 548	2972	winlogon.exe	LogonUI.exe
PID 2972 wrote to memory of 548	2972	winlogon.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe
PID 1812 wrote to memory of 548	1812	csrss.exe	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\is-9NDRM.tmp\fdm_x64_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9NDRM.tmp\fdm_x64_setup.tmp" /SL5="$400EE,39406194,832512,C:\Users\Admin\AppData\Local\Temp\fdm_x64_setup.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\system32\logoff.exe
logoff
2⤵
PID:2568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2616

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-9NDRM.tmp\fdm_x64_setup.tmp

Filesize
3.1MB

MD5
60f76f6e78d966f31d9c574c7465899d

SHA1
2c231f5a57d294ab2b6c1fc6f7902fb453fbeac7

SHA256
ced610b7c01111d289a511d35ada43d94fb4b2537ccfc0317a23e1d3eecd3bf8

SHA512
59b67dd82d6f3cee823d7fba1722455c52479413664f816c6756e42bee877ba854844b10c90d22e63b3631e3b8b83dbf35912507b7fedd7fda4f2724888e2cf0

Download Submit
memory/2724-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2724-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2724-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2724-18-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2800-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2800-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2800-11-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads