efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
Size

168KB
MD5

12e66885bc86070de3948a0ce1212011
SHA1

edab3ba114289fbf7bc990bce0d7857e164bb4fa
SHA256

efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6
SHA512

13e883ba90ba6fa00ce0a81bca1f0972afea2606a113dc5dd94a77371d5bc42d4852ce4c5484ee22d68c996ec3409971a66923991bc5dcb8fdef2e7bd55f5b45
SSDEEP

1536:HeB5LcmJPqPYzTGRVu+1niPRC7gIeTo8dzQhihZOy+AMnmE7UkAUJZvhICqDojhq:GmiPqPYzTGRVuI7bkzrhT+nmEASq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fgdaaw.exe

Executes dropped EXE 1 IoCs

pid	Process
836	fgdaaw.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /l"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /v"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /r"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /n"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /d"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /z"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /y"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /s"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /u"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /s"	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /f"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /i"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /b"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /m"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /o"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /x"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /w"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /c"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /g"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /j"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /q"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /e"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /p"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /a"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /h"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /k"	fgdaaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\fgdaaw = "C:\\Users\\Admin\\fgdaaw.exe /t"	fgdaaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgdaaw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe
836	fgdaaw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
836	fgdaaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 836	2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe	31
PID 2516 wrote to memory of 836	2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe	31
PID 2516 wrote to memory of 836	2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe	31
PID 2516 wrote to memory of 836	2516	efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe	31

C:\Users\Admin\AppData\Local\Temp\efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe
"C:\Users\Admin\AppData\Local\Temp\efbe50f15dffaad0459c5ec4fc5538b7335ad48e25f91e0cf905aa58874dc0e6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\fgdaaw.exe
  "C:\Users\Admin\fgdaaw.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\fgdaaw.exe

Filesize
168KB

MD5
2c1fe70c3a832675260d1fb2b28e2db8

SHA1
602d3dcd61c06fa83a902bf084ffb88bf035288d

SHA256
f23416e7c766937ec286c00c383e641365e1049bcac0151948058458858890e1

SHA512
cbd02dfad312e581d97f0709996e1362a21461ec184ef3c0f7c5db9f01a977976405eb426335df2dd864dbbc6bc7941fd2155cd39eb079f0cf0e734d55916f06

Download Submit
memory/836-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-8-0x00000000034A0000-0x00000000034CC000-memory.dmp

Filesize
176KB

Download
memory/2516-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-19-0x00000000034A0000-0x00000000034CC000-memory.dmp

Filesize
176KB

Download