Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 04:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5575de547844c20af9ce435ebc8298e1.exe
Resource
win7-20231215-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
5575de547844c20af9ce435ebc8298e1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
5575de547844c20af9ce435ebc8298e1.exe
-
Size
230KB
-
MD5
5575de547844c20af9ce435ebc8298e1
-
SHA1
456906f340104766c8a3f68aab3316c64c5e3488
-
SHA256
0faf2887c3bcca4f11c11344edeb9701151443f7502255d24980821388b6e1b0
-
SHA512
8d9e772859044aa0a28bdcd36ee4d9ed3dc35babf9b213522aa5b6faf31fcbbc626698e766fd9a48f0b861ab59b30803913bcebfc4fcce9a87b97634f624a80b
-
SSDEEP
6144:r5XLk7LJwdrdDJc3qvWJVGPiEzoDYGVHSY:NXKSdRJc3BVPEzCVyY
Score
8/10
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2712 fks.exe -
Executes dropped EXE 1 IoCs
pid Process 2712 fks.exe -
Loads dropped DLL 2 IoCs
pid Process 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fks.exe\" -a \"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\Content Type = "application/x-msdownload" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\ = "Application" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\DefaultIcon\ = "%1" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\DefaultIcon fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" fks.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" fks.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\start fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start fks.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\ = "exefile" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fks.exe\" -a \"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\DefaultIcon\ = "%1" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fks.exe\" -a \"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\DefaultIcon fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\Content Type = "application/x-msdownload" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\Content Type = "application/x-msdownload" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\runas fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\start\command fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\ = "Application" fks.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\DefaultIcon\ = "%1" fks.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\exefile\shell fks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 1968 5575de547844c20af9ce435ebc8298e1.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2728 explorer.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe Token: SeShutdownPrivilege 2728 explorer.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2712 fks.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2712 fks.exe 2728 explorer.exe 2728 explorer.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2728 explorer.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2728 explorer.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2712 fks.exe 2728 explorer.exe 2712 fks.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2712 1968 5575de547844c20af9ce435ebc8298e1.exe 28 PID 1968 wrote to memory of 2712 1968 5575de547844c20af9ce435ebc8298e1.exe 28 PID 1968 wrote to memory of 2712 1968 5575de547844c20af9ce435ebc8298e1.exe 28 PID 1968 wrote to memory of 2712 1968 5575de547844c20af9ce435ebc8298e1.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5575de547844c20af9ce435ebc8298e1.exe"C:\Users\Admin\AppData\Local\Temp\5575de547844c20af9ce435ebc8298e1.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Local\fks.exe"C:\Users\Admin\AppData\Local\fks.exe" -gav C:\Users\Admin\AppData\Local\Temp\5575de547844c20af9ce435ebc8298e1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD55575de547844c20af9ce435ebc8298e1
SHA1456906f340104766c8a3f68aab3316c64c5e3488
SHA2560faf2887c3bcca4f11c11344edeb9701151443f7502255d24980821388b6e1b0
SHA5128d9e772859044aa0a28bdcd36ee4d9ed3dc35babf9b213522aa5b6faf31fcbbc626698e766fd9a48f0b861ab59b30803913bcebfc4fcce9a87b97634f624a80b