Analysis

  • max time kernel
    852s
  • max time network
    1604s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-es
  • resource tags

    arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    04/04/2024, 17:20

General

  • Target

    fenix atc/FenixATCInstaller.exe

  • Size

    5.3MB

  • MD5

    423ce463869b85b1581e26a3535d3377

  • SHA1

    8ad5f7430cf4b2f0a9755af8cd111f7ac9a76711

  • SHA256

    ba4da4c0e7257660436b8c4c49f8046c6d0fd5348a7d24f3cc7734b4dbb31f4d

  • SHA512

    598136d28ceb6002ebb2dae2b1b9f4edc53f60ce24f0806d3ed15b61d48ce606936b869241730b16e6643787e25dfcb932abca8005d8db449587ddd5b0014c4b

  • SSDEEP

    98304:gmbEM8+51vYLB0VhaA8dhakIneoXggn/JWxog7bWgq5t63XCoBj0F:zn/drXg4JqWgkt6ioBj0F

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Registers COM server for autorun 1 TTPs 20 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /i "C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\GATCFenix" CLIENTPROCESSID="1260" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1260Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="LinkCreator,MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Tulpep Services" AI_MISSING_PREREQS="Link Creator" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\fenix atc\" EXE_CMD_LINE="/exenoupdates " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" AI_INSTALL="1"
      2⤵
      • Enumerates connected drives
      PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"
        3⤵
        • Views/modifies file attributes
        PID:604
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat"
        3⤵
        • Views/modifies file attributes
        PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "
        3⤵
          PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" cls"
          3⤵
            PID:4728
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3168
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"
            3⤵
            • Views/modifies file attributes
            PID:4352
          • C:\Windows\SysWOW64\attrib.exe
            ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat"
            3⤵
            • Views/modifies file attributes
            PID:3772
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "
            3⤵
              PID:4564
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" cls"
              3⤵
                PID:2928
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Registers COM server for autorun
            • Enumerates connected drives
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4324
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 94B722DBF6921C3B1AAB63C7E2B771AF C
              2⤵
              • Loads dropped DLL
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
                "C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /groupsextract:100; /out:"C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites" /callbackid:2756
                3⤵
                  PID:4588
                • C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe
                  "C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:3916
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 918CB0791A687C072AF098ADB1AA54DA
                2⤵
                • Loads dropped DLL
                PID:1376
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:4576
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:524

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Config.Msi\e58555f.rbs

                        Filesize

                        549KB

                        MD5

                        7c5a29ecb20c76f38ec79bf3fb4fc1bb

                        SHA1

                        1107c11200ef74a623a6584b4528cb8022f94cc4

                        SHA256

                        a523026d1c240b23a6e9f09474a4d1305c6237cd05949083556c546feb2e3948

                        SHA512

                        a6e1ba81def48a50e548563d90cec895c3c7eb71110c60d6c528b842a0e8f2ed8b6174982146bf6c04275b9ef804273f6b714f78ee5e037a8301c430abf0c65c

                      • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1260\banner

                        Filesize

                        3KB

                        MD5

                        64e447b9b303d386f4970839dc815705

                        SHA1

                        6042a4edc7d8e2ab41c589530283c3c43788ea0c

                        SHA256

                        ca9e2568668e53b2d5f8e276581f31d517cd8d490daba5013a743bd497de5f73

                        SHA512

                        2b35642edbb881cd45efc6cfbb3c39cedb235b0a17abe12c2194cd352109f9aeb646dd70279c2290ab8ea2e043528786fac61404733b7987eb8172c6ee81db98

                      • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1260\dialog

                        Filesize

                        12KB

                        MD5

                        8d5de8960e1a6886365d3f1dc3f81fe4

                        SHA1

                        a3ea4a68c7c59d41daa2a12ec2ddd481bda8fe24

                        SHA256

                        6e1731d0bc8ceb2bb5677d4b0c5c76ca5510602e0707b19ecb6e8d6f6f51eb8f

                        SHA512

                        ac81f511a8dcbce9018569ea0c0fbaced44a3191466c77bb5ab5bc3aac313d08643803d7d11619fa7f8cf10411e870e9a73246ed6f84cea9121e78c3e150b94d

                      • C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat

                        Filesize

                        415B

                        MD5

                        eaaf90b679bc25bc2dd01274b26a6f77

                        SHA1

                        4a5b148f002b2e20d18aa08d3ec30975b5e5ce1a

                        SHA256

                        ec2627a53a98411f35c2ad2006d9dcfde7b78522e4e50d381ea738ff1c5aeac4

                        SHA512

                        2a06b1749b525ba5a3ed7ff672e8c94fcfa2baac4aff98103ffa18149ed5e09d92d2a82d0b19153b821ee543281ad2e08d9aa7f6e623b9ec410a6da0593df021

                      • C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat

                        Filesize

                        415B

                        MD5

                        673b8f14e6881c7fd676140fb34064a7

                        SHA1

                        0a77ea00c4b662e2e6dec4da1ef28b1e74efd1b2

                        SHA256

                        82a3f673899d47cc4057ac37286334ff353d13eac2a77c68bcfdab0944a18b8e

                        SHA512

                        abad273f53d98ca2b1efc76c0f1de0fd372793ae4f49bb43d8c2a5d9218ca55d3aade70fc6e4d0b22bc4c5f81e337e2a1d8c1a492370d824940752135d2c7131

                      • C:\Users\Admin\AppData\Local\Temp\MSI9319.tmp

                        Filesize

                        209KB

                        MD5

                        55760599c990fee4c086e60299fa0dfc

                        SHA1

                        56505e3b1b3c934c8838c8daf4f69eb2de31e067

                        SHA256

                        40a493cb6d5a97cb5462f260ea0753ec47e07ac837d0e12d4cab33f985a5a14f

                        SHA512

                        c0a9b1ceb796d92362661d690ccb0fe0146c6d5b0edceb404b165544ceecc7ca9cf8ae36afafc96adae90837bd24e62b1cbfc50600fc676b2c19928fabd217aa

                      • C:\Users\Admin\AppData\Local\Temp\MSI965A.tmp

                        Filesize

                        364KB

                        MD5

                        bce340727602986cc8af524c0b9cd485

                        SHA1

                        03a542bb35d1d87e769488d6f23f0b2be29ba756

                        SHA256

                        cb5636ea725024d13398a51a487227deca2bbdeaa7bb046064ea3cd33b4680ef

                        SHA512

                        67faa08f55d878a455292b73ff0cbaaee9d81c7ab6a874e579143cf621fe22ac864c2be8ac9f9707a9cf52cf2c62754e54fa08be54501ed9d2327900a4079fc6

                      • C:\Users\Admin\AppData\Local\Temp\shi50F9.tmp

                        Filesize

                        3.2MB

                        MD5

                        032bb369103dac02606fb919f6658f3c

                        SHA1

                        60b39428ab3493aab7babf3a1c5f2a951ae853bd

                        SHA256

                        daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff

                        SHA512

                        0f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313

                      • C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller.msi

                        Filesize

                        1.5MB

                        MD5

                        bda8dc57111676f6b43f2d5bbe53dffb

                        SHA1

                        3ef31fe9ecaba05f94655a7ed648d4e95360635a

                        SHA256

                        bcd6373798ab7a398b5022d01ff3eb69338e7e4438816c8af88a61d357762b2c

                        SHA512

                        8ee3f8f9abaa752ed8760e645e3b337dfa079dd5c185a0c5caa8238edc64b21ba074b60880daba8b879bc371c6375b5784809783fa211b3152de0f7083e4f5bf

                      • C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller1.cab

                        Filesize

                        2.0MB

                        MD5

                        7135aa7efe759b7e0cb9dcf9e97decc2

                        SHA1

                        adbb38f5448afaa6319fc521e4f1a201b096013c

                        SHA256

                        95d0e7a9a24b64de615e408b80819d50272a126202e199f5849b03b45c281d8f

                        SHA512

                        65888da58a5e2bec2ba08f2ba0899c3f2976290a60e14353280960a1ba628e51cd5a5e8ce119f4ca9ff480f4bf72e6163b1b9ac07822278e1ea4ecf5653e9e91

                      • C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe

                        Filesize

                        260KB

                        MD5

                        cb5af0df19fb79cd9e28214ea1cc63c6

                        SHA1

                        f96c597d9fe1f97a6db7722637a0376d861eb4cd

                        SHA256

                        804b33e2a9d7c6a5c21c1f2b138e84fa703156671411460395953b203f4d3eda

                        SHA512

                        fa5cb7da665c39013daa8f4cc8dcfb16c99f22b6b4a835ab5c35d7f0ea263e8318a1603ab48fd91a1218b0ab53f4f89169ba76213fcc623a7936f33c51e083ef

                      • C:\Windows\Registration\R000000000008.clb

                        Filesize

                        46KB

                        MD5

                        92d8821c54a5373c52f2e57f5c226015

                        SHA1

                        cb4efac6b966ecb5339923dc4df0fb12a89990a5

                        SHA256

                        2f15d7ca940e8ffd4fdbe888aa20fb34f852c6ee6bab1ab95542772ce7ff3557

                        SHA512

                        30767e2d583e57105f48532125f9de05160f89ca511264c6bf09c9b41a9c4f1a9d3a9c6d9b82608ca5f7eff70358a386e2eb1f58123d015418c1911ac8e65c58