Overview

overview

8

Static

static

8

FateInjector.exe

windows7_x64

1

FateInjector.exe

windows10_x64

1

Ambrosial ...21.exe

windows7_x64

8

Ambrosial ...21.exe

windows10_x64

8

Ambrosial.exe

windows7_x64

4

Ambrosial.exe

windows10_x64

7

Release_Ve...on.dll

windows7_x64

1

Release_Ve...on.dll

windows10_x64

3

BadManPublic.dll

windows7_x64

1

BadManPublic.dll

windows10_x64

1

HorionInjector.exe

windows7_x64

8

HorionInjector.exe

windows10_x64

8

MetroSet UI.dll

windows7_x64

1

MetroSet UI.dll

windows10_x64

1

Newtonsoft.Json.dll

windows7_x64

1

Newtonsoft.Json.dll

windows10_x64

1

System.Run...fe.dll

windows7_x64

1

System.Run...fe.dll

windows10_x64

1

ure tyjk5_...]_.exe

windows7_x64

1

ure tyjk5_...]_.exe

windows10_x64

1

Coffee (1).exe

windows7_x64

1

Coffee (1).exe

windows10_x64

1

Coffee 1.16.220.exe

windows7_x64

1

Coffee 1.16.220.exe

windows10_x64

1

Coffee NOT...ON.exe

windows7_x64

1

Coffee NOT...ON.exe

windows10_x64

1

Fate.Client.dll

windows7_x64

3

Fate.Client.dll

windows10_x64

3

FateInjector.exe

windows7_x64

1

FateInjector.exe

windows10_x64

1

Fate.Client.dll

windows7_x64

3

Fate.Client.dll

windows10_x64

1

Analysis

  • max time kernel
    155s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    17-11-2021 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HorionInjector.exe

  • Size

    427KB

  • MD5

    fb3652cc3a387c107714440829ac7264

  • SHA1

    bf1275265b68ac09b54de10be9e0c1f2b48a352e

  • SHA256

    dd22919a17110bb3d20ede3be4c029af8626d1459f50b2b5534ae2a77cc8c39b

  • SHA512

    c5a0082b19e2a0c22b75b3ddf1e487ba6b002f0e7455e3fae2442a02c6e2844f2703d3428fcd63b26bb4edca442ab776ec7ad2856c816ba7610c81fd160b4cc7

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
    "C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/vs/16/release/vc_redist.x64.exe
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    a74c7478f74da2a091c4c97e30176530

    SHA1

    5d07dc928f218c71dd5f9b829616d1d8b92e19b5

    SHA256

    994a90c245f94acd5a7c2ba353a5cce836cc82668ba5d891670b3f6d3c23bbea

    SHA512

    9e9cb4833bd1143583f0a1d53862acd8cfebe697bb041156022149f7509974ef77ed04ddb3cfe47ccfdfed293dc0ab2eb42acda03c37dd38b54ff55f3f9bd7a6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OTVOI5J6.txt
    MD5

    4916f9e274f403f65b59eaa355bfc8e2

    SHA1

    09d195584d60d724cabe210e6c05fa106f57d8b4

    SHA256

    18c8055546be7ad5808a48900d8d48cdea343414c2ef84bf2c8ae1f91e89515a

    SHA512

    f59893c3d1ac931e03f9a504f76b2420e3c4216837c0cd8bbafe630c02437967e7b79cf062c24d45d677cc041dbe13abc7db08a4445357332bdc5f9f5117599f

    Download Submit
  • memory/368-62-0x0000000000000000-mapping.dmp
    Download
  • memory/368-64-0x0000000002910000-0x0000000002911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1004-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-55-0x000000013F670000-0x000000013F671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1596-57-0x000000001ACA0000-0x000000001ACA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1596-59-0x000000001C9F0000-0x000000001C9F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1596-60-0x000000001C9F6000-0x000000001CA15000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1596-61-0x000000001AD20000-0x000000001AD21000-memory.dmp
    Filesize

    4KB

    Download