Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

Analysis

  • max time kernel
    152s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 22:34

General

  • Target

    Fake AV/FileFixPro/FFProInstall.exe

  • Size

    455KB

  • MD5

    d70754abc051edb0248b7287834808e2

  • SHA1

    9266f535d621c52e7603c1f30be7f67025663003

  • SHA256

    25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8

  • SHA512

    4be8b38129532429c84835197c329ff69d74a567d00f0fa88319656c531bc3af6326fa24a5692a1ebbe9bc4005a53a52aeb818507c773055b76a4e33c34482ea

  • SSDEEP

    12288:qmkOy5ws5qyKxg3Ismvo2gYcfygnXqD+k3TW:qfOy50Jx+IsV2mfXw+7

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp" /SL4 $60150 "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
        "C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Program Files (x86)\FileFix Professional 2009\unins000.exe

          Filesize

          658KB

          MD5

          361c253d8b03085714b050875274fb67

          SHA1

          1f79d4cde86f67b206bd623fac80c73463b59db4

          SHA256

          644cc1a533c21965d92af0d9ebb7a92ff6c9292582e7b4056d241bd590176023

          SHA512

          d3aa94c4b14883c66abdb733e7d2d6d62f3f255de005705d87d11a7096b168f38789e2010b6f582f572e97de9257d20358741a08e9c2881fce353b946f7b1875

        • \Program Files (x86)\FileFix Professional 2009\wizard.exe

          Filesize

          612KB

          MD5

          e1827fbbf959d7c5f3219a1f0b0c35fc

          SHA1

          677d7c6179729fdb4a25afdd5579533f1606c810

          SHA256

          c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d

          SHA512

          a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3

        • \Program Files (x86)\FileFix Professional 2009\wizard.exe

          Filesize

          64KB

          MD5

          87873a5927e1234f9a31089c5d33e526

          SHA1

          0d063f0c246ac4dffd18c2b8f51577e7bfa156f8

          SHA256

          29e39a5cf12995d3623c803d514c3c9f448a40bd9359cda1c41e894ef6e23a63

          SHA512

          d732e266ebbed9a330e4ea2e6a9007fed90829269293b285d9be3556872b291f8c93b700c820db17c2f37d73521e93ec4f59f2f264dc9c333e55031d4db70337

        • \Users\Admin\AppData\Local\Temp\is-PF36L.tmp\_isetup\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • \Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp

          Filesize

          648KB

          MD5

          0360b1d1195775766b2e78a7b463f658

          SHA1

          8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

          SHA256

          bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

          SHA512

          23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

        • memory/1696-0-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1696-2-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1696-16-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1696-62-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/1996-17-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/1996-57-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB