e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62

Analysis

max time kernel
963s
max time network
866s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-04-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FA Installer.bat
Size

42KB
MD5

ac48f9875234a4e5649d152672903198
SHA1

6795362296194a79770a385a1a81efa89c6fe203
SHA256

e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
SHA512

b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
SSDEEP

768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5044	timeout.exe
4268	timeout.exe
64	timeout.exe
4108	timeout.exe
3480	timeout.exe
4092	timeout.exe
4440	timeout.exe
1516	timeout.exe
2488	timeout.exe
932	timeout.exe
1124	timeout.exe
4652	timeout.exe
1804	timeout.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2824 taskkill.exe

pid	process
2824	taskkill.exe

Modifies registry class 3 IoCs

Processes:

cmd.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2124 powershell.exe
2124 powershell.exe
2124 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2124 powershell.exe
Token: SeDebugPrivilege 2824 taskkill.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1316 OpenWith.exe

pid	process
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2824	taskkill.exe

pid	process
1316	OpenWith.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 4988 wrote to memory of 528	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 528	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 216	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 216	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 684	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 684	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 1040	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 1040	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 1220	4988	cmd.exe	cmd.exe
PID 4988 wrote to memory of 1220	4988	cmd.exe	cmd.exe
PID 4988 wrote to memory of 932	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 932	4988	cmd.exe	timeout.exe
PID 1220 wrote to memory of 2124	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2124	1220	cmd.exe	powershell.exe
PID 4988 wrote to memory of 4268	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4268	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 64	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 64	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4108	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4108	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 5044	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 5044	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 3480	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 3480	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4092	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4092	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 1124	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 1124	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4652	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4652	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4440	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 4440	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 1516	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 1516	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 2848	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 2848	4988	cmd.exe	WScript.exe
PID 4988 wrote to memory of 2488	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 2488	4988	cmd.exe	timeout.exe
PID 3492 wrote to memory of 2236	3492	cmd.exe	WScript.exe
PID 3492 wrote to memory of 2236	3492	cmd.exe	WScript.exe
PID 3492 wrote to memory of 2008	3492	cmd.exe	cmd.exe
PID 3492 wrote to memory of 2008	3492	cmd.exe	cmd.exe
PID 3492 wrote to memory of 1480	3492	cmd.exe	WScript.exe
PID 3492 wrote to memory of 1480	3492	cmd.exe	WScript.exe
PID 2008 wrote to memory of 1804	2008	cmd.exe	timeout.exe
PID 2008 wrote to memory of 1804	2008	cmd.exe	timeout.exe
PID 3492 wrote to memory of 648	3492	cmd.exe	cmd.exe
PID 3492 wrote to memory of 648	3492	cmd.exe	cmd.exe
PID 648 wrote to memory of 2824	648	cmd.exe	taskkill.exe
PID 648 wrote to memory of 2824	648	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 1816	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 1816	1480	WScript.exe	cmd.exe
PID 1816 wrote to memory of 192	1816	cmd.exe	findstr.exe
PID 1816 wrote to memory of 192	1816	cmd.exe	findstr.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"
2⤵
PID:528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"
2⤵
PID:216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"
2⤵
PID:684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"
2⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAshortcutinstallerdesktop.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Desktop\FA Security.lnk');$s.TargetPath='C:\FA_Antivira\Fabi_Antivira_Securety.bat';$s.Save()"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:64

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4108

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5044

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3480

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1124

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"
2⤵
PID:2848

C:\Windows\system32\timeout.exe
timeout /t 60
2⤵
- Delays execution with timeout.exe
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FA_Antivira\Fabi_Antivira_Securety.bat" "
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"
2⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAvbs\FAbuttenUser.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FA_Antivira\FA_URLscan.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\findstr.exe
findstr /i "amongus.io" "C:\FA_Antivira\FAurlDataBank.txt"
4⤵
PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAcmd.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat
Filesize
466B

MD5
0ea60cedc7c561c2b3eceb58339f3bb2

SHA1
1c500a5b3625aec2d3f1b2a204b921b5e85c45ae

SHA256
957680d4b0ac571bdf53e789855625ca7c68bad067f02b8fc9a7ab74355cfe51

SHA512
c479cc265cf906b50f03a46571cb28471511f1cee4e35674ac968f73fc68bad972329a825fc1d9fce4bf11ad8cc624bcdbc0a7fe751711f1ae0ed53a8236b597

Download Submit
C:\FA_Antivira\FASecLogsTxT\FAupLOGlogFile.txt
Filesize
80B

MD5
195fca33d3dcd4963817da54566406c9

SHA1
2c3dd5d8d52bc661e488ca37ad49527b8bf9c925

SHA256
f68730e3c6d47d8a63a9b67749f66d91ab5f2a04396c466a238f389a21abf15b

SHA512
7a4cc2c65dcd20627aeb3c9a0519f7b8474ab8820488c247bb2b40b36f21d81b0e4eae3bd6a48f6cff1667dc6b012a3920c76998d29dc329619bba57097f2453

Download Submit
C:\FA_Antivira\FA_URLscan.bat
Filesize
586B

MD5
80ea35dc1a44e5694cd89dc387164ce0

SHA1
add48be7d3951f9336ebb65bbcf6f53f359b5300

SHA256
e955364d0bcd212382f2a17d77261d044e92fa5ccc884cb98c3cfe4f0cc8a396

SHA512
d8888b16fb278c7c024ce47a632f65048f3ecb96a7320f5b639465fd880a98d43157d2acfe3ffb7bbd4f5fc62de3aca0602671777219450b70676c64a485b2b7

Download Submit
C:\FA_Antivira\FAcmd.bat
Filesize
26B

MD5
c4645d6e11ab471b8e0d246a285ca38f

SHA1
cfb73001deb5265fd23118ea7c92b069726e0744

SHA256
d3e398863bb562e0d6df0915b463e633dbb25947728fb2c5ea097c28a063491d

SHA512
b0e49f720ce0738a5f77fd2e1e7383756ebcba77afb71c2d3c3962c0ef1d5a7054bed41963801fc570ec468ddf8a10c38756b9b3ed341b3c18d5a714640886ee

Download Submit
C:\FA_Antivira\FAinfo1.vbs
Filesize
84B

MD5
fad7cd2a49837444cde4548abdf478b6

SHA1
376a4ff6acc6ca44f2b660286633c5a31eddd764

SHA256
9c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda

SHA512
287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5

Download Submit
C:\FA_Antivira\FAinfo2.vbs
Filesize
87B

MD5
5a1fc5e5db483c5926a50ee931581cd9

SHA1
419644277a92e109d4ce6739a0d5e2d0ba8f2d42

SHA256
0f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab

SHA512
0351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240

Download Submit
C:\FA_Antivira\FAinfo3.vbs
Filesize
71B

MD5
a61c87927d31edff281df2818dde924d

SHA1
f076867cb0411e0c584f2f9052d4c1e550cd53b7

SHA256
9220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517

SHA512
ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970

Download Submit
C:\FA_Antivira\FAinfo4.vbs
Filesize
97B

MD5
d912098669bc85cc04cccf0248617120

SHA1
a817741d0ce4427cf0a0fceb7ba483972789fc60

SHA256
e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422

SHA512
578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48

Download Submit
C:\FA_Antivira\FAshortcutinstallerdesktop.bat
Filesize
579B

MD5
43ac0b308354a69a243ade90d4710a48

SHA1
eb13fd963da445a000a2bde81254a6165fb35ede

SHA256
a66196a3237ebee214521d8a60c9747137c2abd928dd3123663ce6bf5b760bc7

SHA512
e5a8f9934c72492bb7631140a6bedb0d114f8dbc9b4c1a7cf80976216db0e9acba411cf0841bfee988a3eee2639a0596919a51c6eaeced3ab1a62de2abe96ab0

Download Submit
C:\FA_Antivira\FAurlDataBank.txt
Filesize
14KB

MD5
52625fe27ed861566f6242ac7eb28609

SHA1
0bef2187c87f4ebd5e2243cf8013a9513e2b92db

SHA256
c60b699d8ab4bd5928877c75f8c5c01b98231f382c1989c3cccdb8f931a48c6a

SHA512
f613f49809ac49efb6a5ba12582e39f6379259cff9a19c3c2e1b8211a4587610c8bb0730621507f4e3a6ea3bf3057017bcd8c611294763e97ccf5b086afcc3be

Download Submit
C:\FA_Antivira\FAvbs\FAbuttenUser.vbs
Filesize
1KB

MD5
f2f1d25a0733f5bbad7c729096e4810f

SHA1
88c073043fa9bc4c6660837f1f90f1a7a42a35fc

SHA256
19f7da333b1ac0483d06821dbaa6640445442a06f603c9d8d3665269112abddf

SHA512
0a2cdd4ff70945d1da0d88b532b0f31e4285fb4297302cc574fdde1d2dd9006d3ced8b71fecb9cc58e1792863733c64bd9c452a1c888dfb4e1e4e1340784c1e1

Download Submit
C:\FA_Antivira\FAwlc.vbs
Filesize
37B

MD5
8af233a3816f2564fe1dd935a228eed5

SHA1
e135f58494c4aa12e4c3fc1c6a5645716bac5384

SHA256
9c30303185a1337fa4f8b22c5cf93bfa40b5f437bc82abd168c4aa0a85889ec0

SHA512
2fce3e661e3d677848817d80567fdff464bc5c12badf3ff454576252facd49b159bd00e8da6ed96fc9748ca0c8b9d24d64a35651c29de1daaf2cc718fdbff8c2

Download Submit
C:\FA_Antivira\Fabi_Antivira_Securety.bat
Filesize
273B

MD5
c67e9bfe1056431c086554c2206401a3

SHA1
7d7b11a79233fdc2c5b8dcd0e9edf5a028324453

SHA256
d7b9799fdfefc9e083dc43cf74e7f8019a5f1e74c68e30ad54fdd208383cb2c4

SHA512
e38c705f3cbdddc0b437459d1e9ce3b37e421da2d137f091ecd399eeed07b2d491abc39ea420546f2b68c6a6266ae99ee75ca3be656ddd5496513d7643be8b3d

Download Submit
C:\FA_Antivira\Python\FAMsh.py
Filesize
2KB

MD5
ac02c7e35e75be6d744ab7a5e274de49

SHA1
796d6c8a93997fc603c714a3346f42fcfa11ed13

SHA256
c8c9b044439f06cf6ae2eed53230612e5960a2871779b06a1d73d56e4c528de0

SHA512
28b5ee17c21093666abb11ff88afa87ea7f3aa880662809d8cf2192c8c5236b1435f6517186a4fad46c8919b063d27c9c43ccbf7bc7386ccd75197598532c195

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ornayo4d.2a3.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2124-100-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-96-0x000001A38CE50000-0x000001A38CE60000-memory.dmp

Filesize
64KB

Download
memory/2124-79-0x000001A3A5550000-0x000001A3A55C6000-memory.dmp

Filesize
472KB

Download
memory/2124-76-0x000001A3A5420000-0x000001A3A5442000-memory.dmp

Filesize
136KB

Download
memory/2124-75-0x000001A38CE50000-0x000001A38CE60000-memory.dmp

Filesize
64KB

Download
memory/2124-74-0x000001A38CE50000-0x000001A38CE60000-memory.dmp

Filesize
64KB

Download
memory/2124-73-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

Filesize
9.9MB

Download