Analysis

  • max time kernel
    144s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2025 01:22

General

  • Target

    F-M-E_v2/F-M-Е_v2.exe

  • Size

    1.2MB

  • MD5

    9e1ea15e3c048ed96c22a8e50bf83b8b

  • SHA1

    071a3420cf14fcb1ff96e33daa64f60ee92ac1e6

  • SHA256

    699050ce6a9803d066b0d5206dc946c1c54ae8ebc6e9bc7fa18836e9dc8ce46e

  • SHA512

    2c397b0f2d677e7d63ca607a72f85c5368dfbf8bb2036eec4ce53e597e8598972700ccd267de0696b40d0da5a99579ac3e7db5873c146b10cd22e75d0cc70afd

  • SSDEEP

    24576:acVkKSRXajM/0IV5diCURXnWvxxMiGh5Sq7Ttz8J:acBYXa+0kYCkn4giGhZvtz8J

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-M-E_v2\F-M-Е_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\F-M-E_v2\F-M-Е_v2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS8CB238C7\run.bat" x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y AsDxzcDAzSDzdD fkkfk@fkfk@fkkf@@kf fk@fk@fkfk@fkkf@fkf FME bN4Aynk"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\mode.com
        mode con: cols=40 lines=3
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /FI "IMAGENAME eq EasyAntiCheat_EOS.exe"
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\SysWOW64\find.exe
        find /I /N "EasyAntiCheat_EOS.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2900
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM autohotkey.exe /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy *.* ..\ /Y
        3⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        PID:2560
      • C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exe
        u0Y4ZfNbjZ4PNDNB5.exe x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
        AutoHotkey.exe AsDxzcDAzSDzdD
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS8CB238C7\run.bat

    Filesize

    1KB

    MD5

    49988db45356b19de8b6b9a8b342f226

    SHA1

    a45098fa0d04746d70f4cfc487191d57370c04b7

    SHA256

    ea656535bee58c6f7290ea92845b5ae7638a669986d89a71522fd8d481990ef0

    SHA512

    d78c270d4220d9a078b4015730d6516e3546b5aee19d78102a7d0a8ba8f64dd280444d06e6ea65487f5f5b0b26ffad93af81cfc151328002a3f860746c503166

  • C:\Users\Admin\AppData\Local\Temp\7zS8CB238C7\u0Y4ZfNbjZ4PNDNB5.exe

    Filesize

    577KB

    MD5

    c31c4b04558396c6fabab64dcf366534

    SHA1

    fa836d92edc577d6a17ded47641ba1938589b09a

    SHA256

    9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

    SHA512

    814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

  • C:\Users\Admin\AppData\Local\Temp\AsDxzcDAzSDzdD

    Filesize

    44.1MB

    MD5

    f5dd25c4673f35f8cc6ef3adabb72e76

    SHA1

    f249aa530c2e209aec45ea82473338aea66ffa5c

    SHA256

    2a4656fc1e88c4b8458f394afc15f5f2c897dabd27d8d5a6a2de3b81f32c55c1

    SHA512

    a55ce7eef6b3b97771b947ddc62e21930d764f5adcf0e41a949a871765f3df7bcb7d54169339870b8f8946334172fe86d9c2e3eb08f4e49e688bce0b99de362d

  • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe

    Filesize

    1.3MB

    MD5

    2d0600fe2b1b3bdc45d833ca32a37fdb

    SHA1

    e9a7411bfef54050de3b485833556f84cabd6e41

    SHA256

    effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

    SHA512

    9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

  • C:\Users\Admin\AppData\Local\Temp\Cab215.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar39E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5

    Filesize

    653KB

    MD5

    6fb711b079128744d54acbd31f0d3d8b

    SHA1

    ce4f579056c910c30aa776dce5d985f9a02e6c50

    SHA256

    627c67d508c3d465787f46f9faeb32dcc32ec07ad101ee0ad60ee90bf80c17dc

    SHA512

    22d8895deddca24f3baac1014960a24f94e0b1d15f325dc910c250394f39f9c6a0aba137105c5984cd1dea01627c33e7699a8bb8210d3818b48d2e3972e0a75a

  • memory/2372-313-0x0000000140000000-0x000000014014D000-memory.dmp

    Filesize

    1.3MB