c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

discovery suricata

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3988	Anime-Fighters-Infin_734316524.tmp
2572	Expedita.exe
1880	AhR5fTcQ7d3AIKYU5U.exe
3332	lxju7i.exe
1576	vpn.exe

Loads dropped DLL 2 IoCs

pid	Process
3988	Anime-Fighters-Infin_734316524.tmp
1880	AhR5fTcQ7d3AIKYU5U.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vel\voluptas\is-T6MNB.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-GM8RT.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-4HKF0.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-J5DEO.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-4AQEL.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-QQK8D.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-7TL9M.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-GN34K.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-U6DLB.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-9OSHD.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-8VS01.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-P0OT3.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-N9NM5.tmp	Anime-Fighters-Infin_734316524.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Expedita.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3988	Anime-Fighters-Infin_734316524.tmp
3988	Anime-Fighters-Infin_734316524.tmp
2572	Expedita.exe
2572	Expedita.exe
2572	Expedita.exe
2572	Expedita.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3988	Anime-Fighters-Infin_734316524.tmp
1880	AhR5fTcQ7d3AIKYU5U.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	75
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	75
PID 416 wrote to memory of 3988	416	Anime-Fighters-Infin_734316524.exe	75
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	76
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	76
PID 3988 wrote to memory of 2572	3988	Anime-Fighters-Infin_734316524.tmp	76
PID 2572 wrote to memory of 1880	2572	Expedita.exe	82
PID 2572 wrote to memory of 1880	2572	Expedita.exe	82
PID 2572 wrote to memory of 1880	2572	Expedita.exe	82
PID 2572 wrote to memory of 3332	2572	Expedita.exe	83
PID 2572 wrote to memory of 3332	2572	Expedita.exe	83
PID 2572 wrote to memory of 3332	2572	Expedita.exe	83
PID 2572 wrote to memory of 1576	2572	Expedita.exe	84
PID 2572 wrote to memory of 1576	2572	Expedita.exe	84
PID 2572 wrote to memory of 1576	2572	Expedita.exe	84
PID 1576 wrote to memory of 2020	1576	vpn.exe	85
PID 1576 wrote to memory of 2020	1576	vpn.exe	85
PID 1576 wrote to memory of 2020	1576	vpn.exe	85

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416
- C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-86JMP.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$2014A,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Program Files (x86)\Vel\magnam\Expedita.exe
    "C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe
      C:\Users\Admin\AppData\Local\Temp\bl8HUuOb\AhR5fTcQ7d3AIKYU5U.exe /quiet SILENT=1 AF=606x32cb7aca069a0c8bb8d51fccce1d3826
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe
      C:\Users\Admin\AppData\Local\Temp\xEfDbKkQ\lxju7i.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
      4⤵
      Executes dropped EXE
      PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe
      C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\is-F0OBH.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F0OBH.tmp\vpn.tmp" /SL5="$302E0,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3TRuEVUx\vpn.exe" /silent /subid=510x32cb7aca069a0c8bb8d51fccce1d3826
        5⤵
        
        PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-118-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2572-123-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/2572-124-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/3988-120-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing