Overview

overview

7

Static

static

3

e1dc058fc8...ab.exe

windows10-1703-x64

7

Resubmissions

22-03-2024 10:29

240322-mjq1lsdc6w 8

08-05-2023 11:46

230508-nxdg4sad72 7

08-05-2023 11:33

230508-nn5j8sad52 7

Analysis

  • max time kernel
    742s
  • max time network
    867s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-05-2023 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a/FlixGrab.exe

  • Size

    88.9MB

  • MD5

    4349be1fc47f7aff9ee06d49e9ccd2cf

  • SHA1

    7b7a068b320c51904781fc5e60be3b24fc528352

  • SHA256

    41a8faf9f13ed99084699ed935ec5d2aef6415f036d66872b57be4d2fd38a9e3

  • SHA512

    4afbb125ce655f2abeeca40ad16148d65a9a4cafe09a524b33d4228a960a9e0e077eb87ebc9f6d1ceb6e867203400227be57e4431e279025ad9ecb9b8f8d5a69

  • SSDEEP

    1572864:3/MfZUE8r7sbDvwe+pffl92os5BJ5aTll0dIu/KVwP8PXz6aBrTMzINOWY1E7aMF:vMeEW4P+pXl92/QTMj8vWoczIk12Dwe

Score
7/10
discoveryvmprotect

Malware Config

Signatures

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe
    "C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\is-ITEK5.tmp\FlixGrab.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ITEK5.tmp\FlixGrab.tmp" /SL5="$50146,92329271,1199616,C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /im FlixGrab.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /im FlixGrabMS.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4084
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1828
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4744
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3828
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4800
    • C:\Users\Admin\Desktop\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe
      "C:\Users\Admin\Desktop\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe"
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:4284
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\system-logs.txt
      1⤵
        PID:2552

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\FreeGrabApp\FlixGrab\FlixGrab.exe
        Filesize

        25.9MB

        MD5

        b4d4470d5346c5ccd72f37b21f831645

        SHA1

        7e202cb99fd827981ead5f3988338895f4b24ffb

        SHA256

        e0eb40386bab9523967f91c744acc08652a8132627d3cb7248d8851fe3273991

        SHA512

        cd9b07e8963c550303a77ce0ff5c5818a02538c98fce79fac288ea1c43f3ede733e8cfb506ab5f3108c808eb0be44706d4d3ab2d89a4681f462d90f7f9da207e

        Download Submit
      • C:\Program Files (x86)\FreeGrabApp\FlixGrab\FlixGrab.exe
        Filesize

        7.6MB

        MD5

        9b0d8288fce4f58f3fbb1dd913e51893

        SHA1

        1bc28a32659327e03fe1f5255f3e284d327e0857

        SHA256

        58927df23d21b7128e7fbbc9fc287ed5eb614da156a48c221738bdf8e0a67c5d

        SHA512

        36c29dfb13ce31c123d3f7de001ad1dcbc5d3cdbe303c9d8ddd10a3cb3339bf72dfdf3dd91e19e9c9ea71e548aa67bfcf848f4cd7e79769a449eaf29347567b9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\is-ITEK5.tmp\FlixGrab.tmp
        Filesize

        3.4MB

        MD5

        3eab4a4bc4b893805806c9edb6bab9f9

        SHA1

        1cfe1a478e2168150c256dce1826dd9db083f04a

        SHA256

        e332511ac0e7a35540a676567814d2c8ce47cb2e596a6af9d02fd2e01fa414bf

        SHA512

        4fe9818e5ef3852a378deae1a3c0aa1ab4bb2996e8a899883215c4f9da7a124962332dbdd02969aa5b762012916cd464335f9ac5fae1382607360ef8635a797d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\is-ITEK5.tmp\FlixGrab.tmp
        Filesize

        3.4MB

        MD5

        3eab4a4bc4b893805806c9edb6bab9f9

        SHA1

        1cfe1a478e2168150c256dce1826dd9db083f04a

        SHA256

        e332511ac0e7a35540a676567814d2c8ce47cb2e596a6af9d02fd2e01fa414bf

        SHA512

        4fe9818e5ef3852a378deae1a3c0aa1ab4bb2996e8a899883215c4f9da7a124962332dbdd02969aa5b762012916cd464335f9ac5fae1382607360ef8635a797d

        Download Submit
      • C:\Windows\Logs\system-logs.txt
        Filesize

        5.3MB

        MD5

        df9fa84d5264cb930f64f237d0cbb4c3

        SHA1

        225e94f06a6d1d7b053a57204458dfe1848f9053

        SHA256

        2a5857066a8aae937fac0e3a33e9669cf8c4f7da4721ab076427cadc4c75b44d

        SHA512

        2be7937d1cb5ddbbb51b7e5525fe33f5fa107ddcc39bd28b7da8f3705f1a061c9d359cd257b48eca5ffbd878f217de93d768b42f8635646423aacd0a6a440175

        Download Submit
      • memory/1616-469-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1616-131-0x0000000000920000-0x0000000000921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1616-241-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1616-400-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1616-130-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1616-419-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1616-126-0x0000000000920000-0x0000000000921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1616-468-0x0000000000400000-0x000000000076C000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1820-129-0x0000000000400000-0x0000000000532000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1820-121-0x0000000000400000-0x0000000000532000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4084-467-0x000002205AC50000-0x000002205AC52000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4084-466-0x000002205AC30000-0x000002205AC32000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4084-464-0x00000220567E0000-0x00000220567E2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4084-462-0x0000022056390000-0x0000022056391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4084-485-0x000002205AB00000-0x000002205AB02000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4084-488-0x0000022056390000-0x0000022056391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4084-492-0x0000022056370000-0x0000022056371000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4084-443-0x0000022056500000-0x0000022056510000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4084-425-0x0000022055F20000-0x0000022055F30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4284-496-0x00007FF641740000-0x00007FF6432F0000-memory.dmp
        Filesize

        27.7MB

        Download
      • memory/4284-500-0x00007FF641740000-0x00007FF6432F0000-memory.dmp
        Filesize

        27.7MB

        Download