8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe
Size

1.5MB
MD5

d0e6a1f76cfcd5c4a3bbd044cf39ff2a
SHA1

ec1cce88f7719f3744a406927d8a004206b10adb
SHA256

8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e
SHA512

4daf751ac521d3ff846107b138e334d9699268bb6bb2e12e94aab528b89eb5f1ae8d70d87896d2b326e043c88b074eb8562c02f71ab8d684383d07b47b7e5124
SSDEEP

24576:8N+bPGUvbX8AdjI9Bahe/wz78RaiyhrbnC3OlKekN4srzEhbaLUCKWmRlsSmYTzC:8wyYjI9EheW7WaiUy3V6baLUCmRlnmYq

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1800	schtasks.exe
2412	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1800	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	86
PID 648 wrote to memory of 1800	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	86
PID 648 wrote to memory of 1800	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	86
PID 648 wrote to memory of 2412	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	88
PID 648 wrote to memory of 2412	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	88
PID 648 wrote to memory of 2412	648	8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe	88

C:\Users\Admin\AppData\Local\Temp\8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe
"C:\Users\Admin\AppData\Local\Temp\8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
1.5MB

MD5
d0e6a1f76cfcd5c4a3bbd044cf39ff2a

SHA1
ec1cce88f7719f3744a406927d8a004206b10adb

SHA256
8ab9290d67282a4fa8f4467b1c05cdb3b11e4efdc7af515f25af68b8f936da8e

SHA512
4daf751ac521d3ff846107b138e334d9699268bb6bb2e12e94aab528b89eb5f1ae8d70d87896d2b326e043c88b074eb8562c02f71ab8d684383d07b47b7e5124

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads