6b4d1ddccb0760b0cbe5d392c9b0cc7d5a5eaa0be0772388e37c38a0aedb4f25

General

Target

13d8638ffa2728a85f5a4477c1698230N.exe
Size

974KB
MD5

13d8638ffa2728a85f5a4477c1698230
SHA1

0f09305284619740d8f71592bb630085f99992fa
SHA256

6b4d1ddccb0760b0cbe5d392c9b0cc7d5a5eaa0be0772388e37c38a0aedb4f25
SHA512

8aa021c7cbde119c05b32e7a3b4b8dc2a408cbdb924ca790819c19eacfffd53b3422391b73977896a02b76a424a28104f23d3b2aa3dcf6956eff19905616cfaa
SSDEEP

12288:lOOZpUtlwX+zc7V5Rn1JyfPcOOZpUtlwX+zc7V5Rn1JyfP:nZhNrRCfP6ZhNrRCfP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3860	FCHSYHE.EXE

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\FDPM.EXE \"%1\" %*"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FCHSYHE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FDPM.EXE = "C:\\Program Files\\FDPM.EXE"	13d8638ffa2728a85f5a4477c1698230N.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\J:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\O:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\R:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\U:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\G:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\M:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\N:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\P:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\S:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\K:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\Q:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\T:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\V:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\L:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\I:	13d8638ffa2728a85f5a4477c1698230N.exe
File opened (read-only)	\??\E:	13d8638ffa2728a85f5a4477c1698230N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MOLC.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File opened for modification	C:\Program Files\MOLC.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File created	C:\Program Files\FDPM.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File opened for modification	C:\Program Files\FDPM.EXE	13d8638ffa2728a85f5a4477c1698230N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\FCHSYHE.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File created	C:\Windows\YRMCALR.EXE	13d8638ffa2728a85f5a4477c1698230N.exe
File opened for modification	C:\Windows\YRMCALR.EXE	13d8638ffa2728a85f5a4477c1698230N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13d8638ffa2728a85f5a4477c1698230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FCHSYHE.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FCHSYHE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\FDPM.EXE \"%1\" %*"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\MOLC.EXE %1"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\FDPM.EXE %1"	13d8638ffa2728a85f5a4477c1698230N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\YRMCALR.EXE \"%1\""	13d8638ffa2728a85f5a4477c1698230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\YRMCALR.EXE \"%1\""	13d8638ffa2728a85f5a4477c1698230N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3860	FCHSYHE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3860	4092	13d8638ffa2728a85f5a4477c1698230N.exe	84
PID 4092 wrote to memory of 3860	4092	13d8638ffa2728a85f5a4477c1698230N.exe	84
PID 4092 wrote to memory of 3860	4092	13d8638ffa2728a85f5a4477c1698230N.exe	84

C:\Users\Admin\AppData\Local\Temp\13d8638ffa2728a85f5a4477c1698230N.exe
"C:\Users\Admin\AppData\Local\Temp\13d8638ffa2728a85f5a4477c1698230N.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\FCHSYHE.EXE
  C:\Windows\FCHSYHE.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\FCHSYHE.EXE

Filesize
975KB

MD5
37bb1a2f5c78d8a00e759d3b764826e4

SHA1
46e1c3464bb2b001ebabb45116c1030f485668d0

SHA256
585c0eea974a1d5f66c4592812438ed25038dd66a3047224b29f441c1f2f7cf7

SHA512
c126274303fe6d2c6e8052137ab730eeaf9ce1de3950415d8caff702ed1ca96cb5b69b29cd9a2e2c20a4e0b4f685b17467ca4d667ac3474af4b146364f1b7b1d

Download Submit
C:\Windows\YRMCALR.EXE

Filesize
975KB

MD5
d8e8ce7c166ff2b49025cf8f45c636b1

SHA1
71b6ef1acb5ebbb7194d725bd9070667e6152fe0

SHA256
a4daa446d7eda78ba1aafbe6df2392ccc9e91df7c8a469317851d7691287d53c

SHA512
fabc6b64ea9b8072ccaeb33caf84b0e829836757bca3dd127abd8fd3f202583e7fa6920fa6c3a53a4e3db7d4debe7e9ab0b39d28ea94c652320958fbd3659703

Download Submit
C:\filedebug

Filesize
231B

MD5
3402d424267d1ba7bb3f8defcc588d88

SHA1
044ff4a4d1a6351c9a59e4397ab8d9c08722cf78

SHA256
0916e6dfe94e2f96c3c3dfcd4ca9bc827f428f7bb29735a2f2f7b873c180593e

SHA512
9755d87aa626c021dbe526b4d18a52f26491b2b791959f9feb3be2e17f049f1080d42b278c58ad71f47715bc8b1aaf7608dc866a7b9d89c7da90410873e04634

Download Submit
memory/3860-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-25-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3860-26-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-22-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3860-31-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-32-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-37-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3860-36-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4092-0-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4092-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads