Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 22:34

General

  • Target

    Fake AV/FileFixPro/FFProInstall.exe

  • Size

    455KB

  • MD5

    d70754abc051edb0248b7287834808e2

  • SHA1

    9266f535d621c52e7603c1f30be7f67025663003

  • SHA256

    25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8

  • SHA512

    4be8b38129532429c84835197c329ff69d74a567d00f0fa88319656c531bc3af6326fa24a5692a1ebbe9bc4005a53a52aeb818507c773055b76a4e33c34482ea

  • SSDEEP

    12288:qmkOy5ws5qyKxg3Ismvo2gYcfygnXqD+k3TW:qfOy50Jx+IsV2mfXw+7

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp" /SL4 $301CA "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
        "C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:2312

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\FileFix Professional 2009\wizard.exe

          Filesize

          612KB

          MD5

          e1827fbbf959d7c5f3219a1f0b0c35fc

          SHA1

          677d7c6179729fdb4a25afdd5579533f1606c810

          SHA256

          c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d

          SHA512

          a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3

        • C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp

          Filesize

          648KB

          MD5

          0360b1d1195775766b2e78a7b463f658

          SHA1

          8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

          SHA256

          bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

          SHA512

          23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

        • memory/3536-6-0x00000000007B0000-0x00000000007B1000-memory.dmp

          Filesize

          4KB

        • memory/3536-13-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/3536-16-0x00000000007B0000-0x00000000007B1000-memory.dmp

          Filesize

          4KB

        • memory/3536-37-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/3536-44-0x0000000000400000-0x00000000004B1000-memory.dmp

          Filesize

          708KB

        • memory/4356-0-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/4356-12-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB

        • memory/4356-45-0x0000000000400000-0x0000000000413000-memory.dmp

          Filesize

          76KB