Analysis
-
max time kernel
144s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 01:22
Static task
static1
Behavioral task
behavioral1
Sample
F-M-E_v2/F-M-Е_v2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
F-M-E_v2/F-M-Е_v2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
F-M-E_v2/crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
F-M-E_v2/crack.exe
Resource
win10v2004-20241007-en
General
-
Target
F-M-E_v2/F-M-Е_v2.exe
-
Size
1.2MB
-
MD5
9e1ea15e3c048ed96c22a8e50bf83b8b
-
SHA1
071a3420cf14fcb1ff96e33daa64f60ee92ac1e6
-
SHA256
699050ce6a9803d066b0d5206dc946c1c54ae8ebc6e9bc7fa18836e9dc8ce46e
-
SHA512
2c397b0f2d677e7d63ca607a72f85c5368dfbf8bb2036eec4ce53e597e8598972700ccd267de0696b40d0da5a99579ac3e7db5873c146b10cd22e75d0cc70afd
-
SSDEEP
24576:acVkKSRXajM/0IV5diCURXnWvxxMiGh5Sq7Ttz8J:acBYXa+0kYCkn4giGhZvtz8J
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1876 u0Y4ZfNbjZ4PNDNB5.exe 2372 AutoHotkey.exe -
Loads dropped DLL 2 IoCs
pid Process 2960 cmd.exe 2960 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 8 raw.githubusercontent.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3008 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u0Y4ZfNbjZ4PNDNB5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F-M-Е_v2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mode.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 1 IoCs
pid Process 2232 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2372 AutoHotkey.exe 2372 AutoHotkey.exe 2372 AutoHotkey.exe 2372 AutoHotkey.exe 2372 AutoHotkey.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2372 AutoHotkey.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3008 tasklist.exe Token: SeIncreaseQuotaPrivilege 2900 WMIC.exe Token: SeSecurityPrivilege 2900 WMIC.exe Token: SeTakeOwnershipPrivilege 2900 WMIC.exe Token: SeLoadDriverPrivilege 2900 WMIC.exe Token: SeSystemProfilePrivilege 2900 WMIC.exe Token: SeSystemtimePrivilege 2900 WMIC.exe Token: SeProfSingleProcessPrivilege 2900 WMIC.exe Token: SeIncBasePriorityPrivilege 2900 WMIC.exe Token: SeCreatePagefilePrivilege 2900 WMIC.exe Token: SeBackupPrivilege 2900 WMIC.exe Token: SeRestorePrivilege 2900 WMIC.exe Token: SeShutdownPrivilege 2900 WMIC.exe Token: SeDebugPrivilege 2900 WMIC.exe Token: SeSystemEnvironmentPrivilege 2900 WMIC.exe Token: SeRemoteShutdownPrivilege 2900 WMIC.exe Token: SeUndockPrivilege 2900 WMIC.exe Token: SeManageVolumePrivilege 2900 WMIC.exe Token: 33 2900 WMIC.exe Token: 34 2900 WMIC.exe Token: 35 2900 WMIC.exe Token: SeIncreaseQuotaPrivilege 2900 WMIC.exe Token: SeSecurityPrivilege 2900 WMIC.exe Token: SeTakeOwnershipPrivilege 2900 WMIC.exe Token: SeLoadDriverPrivilege 2900 WMIC.exe Token: SeSystemProfilePrivilege 2900 WMIC.exe Token: SeSystemtimePrivilege 2900 WMIC.exe Token: SeProfSingleProcessPrivilege 2900 WMIC.exe Token: SeIncBasePriorityPrivilege 2900 WMIC.exe Token: SeCreatePagefilePrivilege 2900 WMIC.exe Token: SeBackupPrivilege 2900 WMIC.exe Token: SeRestorePrivilege 2900 WMIC.exe Token: SeShutdownPrivilege 2900 WMIC.exe Token: SeDebugPrivilege 2900 WMIC.exe Token: SeSystemEnvironmentPrivilege 2900 WMIC.exe Token: SeRemoteShutdownPrivilege 2900 WMIC.exe Token: SeUndockPrivilege 2900 WMIC.exe Token: SeManageVolumePrivilege 2900 WMIC.exe Token: 33 2900 WMIC.exe Token: 34 2900 WMIC.exe Token: 35 2900 WMIC.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeRestorePrivilege 1876 u0Y4ZfNbjZ4PNDNB5.exe Token: 35 1876 u0Y4ZfNbjZ4PNDNB5.exe Token: SeSecurityPrivilege 1876 u0Y4ZfNbjZ4PNDNB5.exe Token: SeSecurityPrivilege 1876 u0Y4ZfNbjZ4PNDNB5.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2960 3016 F-M-Е_v2.exe 29 PID 3016 wrote to memory of 2960 3016 F-M-Е_v2.exe 29 PID 3016 wrote to memory of 2960 3016 F-M-Е_v2.exe 29 PID 3016 wrote to memory of 2960 3016 F-M-Е_v2.exe 29 PID 2960 wrote to memory of 2980 2960 cmd.exe 31 PID 2960 wrote to memory of 2980 2960 cmd.exe 31 PID 2960 wrote to memory of 2980 2960 cmd.exe 31 PID 2960 wrote to memory of 2980 2960 cmd.exe 31 PID 2960 wrote to memory of 3008 2960 cmd.exe 32 PID 2960 wrote to memory of 3008 2960 cmd.exe 32 PID 2960 wrote to memory of 3008 2960 cmd.exe 32 PID 2960 wrote to memory of 3008 2960 cmd.exe 32 PID 2960 wrote to memory of 2132 2960 cmd.exe 33 PID 2960 wrote to memory of 2132 2960 cmd.exe 33 PID 2960 wrote to memory of 2132 2960 cmd.exe 33 PID 2960 wrote to memory of 2132 2960 cmd.exe 33 PID 2960 wrote to memory of 1384 2960 cmd.exe 35 PID 2960 wrote to memory of 1384 2960 cmd.exe 35 PID 2960 wrote to memory of 1384 2960 cmd.exe 35 PID 2960 wrote to memory of 1384 2960 cmd.exe 35 PID 1384 wrote to memory of 2900 1384 cmd.exe 36 PID 1384 wrote to memory of 2900 1384 cmd.exe 36 PID 1384 wrote to memory of 2900 1384 cmd.exe 36 PID 1384 wrote to memory of 2900 1384 cmd.exe 36 PID 2960 wrote to memory of 2232 2960 cmd.exe 37 PID 2960 wrote to memory of 2232 2960 cmd.exe 37 PID 2960 wrote to memory of 2232 2960 cmd.exe 37 PID 2960 wrote to memory of 2232 2960 cmd.exe 37 PID 2960 wrote to memory of 2560 2960 cmd.exe 38 PID 2960 wrote to memory of 2560 2960 cmd.exe 38 PID 2960 wrote to memory of 2560 2960 cmd.exe 38 PID 2960 wrote to memory of 2560 2960 cmd.exe 38 PID 2960 wrote to memory of 1876 2960 cmd.exe 39 PID 2960 wrote to memory of 1876 2960 cmd.exe 39 PID 2960 wrote to memory of 1876 2960 cmd.exe 39 PID 2960 wrote to memory of 1876 2960 cmd.exe 39 PID 2960 wrote to memory of 2372 2960 cmd.exe 40 PID 2960 wrote to memory of 2372 2960 cmd.exe 40 PID 2960 wrote to memory of 2372 2960 cmd.exe 40 PID 2960 wrote to memory of 2372 2960 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\F-M-E_v2\F-M-Е_v2.exe"C:\Users\Admin\AppData\Local\Temp\F-M-E_v2\F-M-Е_v2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS8CB238C7\run.bat" x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y AsDxzcDAzSDzdD fkkfk@fkfk@fkkf@@kf fk@fk@fkfk@fkkf@fkf FME bN4Aynk"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\mode.commode con: cols=40 lines=33⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq EasyAntiCheat_EOS.exe"3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SysWOW64\find.exefind /I /N "EasyAntiCheat_EOS.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM autohotkey.exe /F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\SysWOW64\xcopy.exexcopy *.* ..\ /Y3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exeu0Y4ZfNbjZ4PNDNB5.exe x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exeAutoHotkey.exe AsDxzcDAzSDzdD3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD549988db45356b19de8b6b9a8b342f226
SHA1a45098fa0d04746d70f4cfc487191d57370c04b7
SHA256ea656535bee58c6f7290ea92845b5ae7638a669986d89a71522fd8d481990ef0
SHA512d78c270d4220d9a078b4015730d6516e3546b5aee19d78102a7d0a8ba8f64dd280444d06e6ea65487f5f5b0b26ffad93af81cfc151328002a3f860746c503166
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
44.1MB
MD5f5dd25c4673f35f8cc6ef3adabb72e76
SHA1f249aa530c2e209aec45ea82473338aea66ffa5c
SHA2562a4656fc1e88c4b8458f394afc15f5f2c897dabd27d8d5a6a2de3b81f32c55c1
SHA512a55ce7eef6b3b97771b947ddc62e21930d764f5adcf0e41a949a871765f3df7bcb7d54169339870b8f8946334172fe86d9c2e3eb08f4e49e688bce0b99de362d
-
Filesize
1.3MB
MD52d0600fe2b1b3bdc45d833ca32a37fdb
SHA1e9a7411bfef54050de3b485833556f84cabd6e41
SHA256effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA5129891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
653KB
MD56fb711b079128744d54acbd31f0d3d8b
SHA1ce4f579056c910c30aa776dce5d985f9a02e6c50
SHA256627c67d508c3d465787f46f9faeb32dcc32ec07ad101ee0ad60ee90bf80c17dc
SHA51222d8895deddca24f3baac1014960a24f94e0b1d15f325dc910c250394f39f9c6a0aba137105c5984cd1dea01627c33e7699a8bb8210d3818b48d2e3972e0a75a