Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 23:16
General
-
Target
HackedFifa.exe
-
Size
93KB
-
MD5
540bc9dde5aac4fcb45e6e4d17a6b0cf
-
SHA1
c707857181e10af602bdcfec9cf0c5b411790866
-
SHA256
dafc56a5e7e8ea36b8117ad727c59778f1dc0f68e0f9a8266d3b6ae270be9ab2
-
SHA512
e6c1d478bf1de18a8beee830b7a2403b0258a11387169e0db7582fc3178889edfe16f2cf4fc7330d951bfc288b02d721862cf81db9478bd73e227521ad2bf204
-
SSDEEP
1536:f7nisVm7KhG29jE6v1ggpZJ7WTeXLZXkuwxNa0X2/m/L8wIGcCGzOJHj6:DiAmuA29ztLxWTeKxNhXCpwIrCGzOJHO
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HackedFifa.exe"C:\Users\Admin\AppData\Local\Temp\HackedFifa.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\HackedFifa.exe"C:\Users\Admin\AppData\Roaming\HackedFifa.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\HackedFifa.exe" "HackedFifa.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5824ba7b7eed8b900a98dd25129c4cd83
SHA154478770b2158000ef365591d42977cb854453a1
SHA256d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e
-
Filesize
93KB
MD5540bc9dde5aac4fcb45e6e4d17a6b0cf
SHA1c707857181e10af602bdcfec9cf0c5b411790866
SHA256dafc56a5e7e8ea36b8117ad727c59778f1dc0f68e0f9a8266d3b6ae270be9ab2
SHA512e6c1d478bf1de18a8beee830b7a2403b0258a11387169e0db7582fc3178889edfe16f2cf4fc7330d951bfc288b02d721862cf81db9478bd73e227521ad2bf204
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB