Analysis

  • max time kernel
    123s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 13:17

General

  • Target

    a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

  • Size

    3.5MB

  • MD5

    2e74d6fa9f7ad6604f4474d3a88df538

  • SHA1

    94ddd1699392c49aea7f9a610ed5487ea5d30a07

  • SHA256

    a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a

  • SHA512

    38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5

  • SSDEEP

    98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
    "C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\reg.exe
          REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release
          4⤵
            PID:2228
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic product where name="FiatLink" call uninstall
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2088
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
          Setup.exe
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1780
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi"
            4⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:1028
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4104,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
      1⤵
        PID:4356
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding B823A2FB0B6D120180F053B46878A744 C
          2⤵
          • Loads dropped DLL
          PID:3516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat

        Filesize

        556B

        MD5

        1f4c5332b3e3f7668c6c0fbd730ef6f7

        SHA1

        f68d224c39e3d472a4cadfbad6f9f3a57ae6f643

        SHA256

        2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c

        SHA512

        df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FiatLinkSetup.msi

        Filesize

        3.7MB

        MD5

        7c456cc375ef300f4232063f5d82fc0f

        SHA1

        3cdb11f579a225b7820250ea3f29ac39b2cecd87

        SHA256

        d968e60998886a88deed7e9286d4efb90107bc4a068d341cc8b8a2b958720f56

        SHA512

        13d95cae7ccfcd0d15f383b93f761b059628478f4d851148fc8a78fdadc04bf7f9b9f7cd7240b27acfbc3db5106eb20934093287ba8f22ed13ed07222904c019

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd

        Filesize

        598B

        MD5

        83a8232021f3f7690a57948dd1fd3f53

        SHA1

        785cab55143c51cf13714c7c3827e0324a767b62

        SHA256

        5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0

        SHA512

        b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

        Filesize

        510KB

        MD5

        a71a3c02f397b830524176f5e7545723

        SHA1

        d15dfb49314fd2de949b223837b14e9156355122

        SHA256

        5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf

        SHA512

        a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2

      • C:\Users\Admin\AppData\Local\Temp\MSI1D86.tmp

        Filesize

        296KB

        MD5

        b05f77f77b0f12c6774adf5b1d039b44

        SHA1

        cbf3aa9477641cc0fc39fbecf0c3b6ff7dbb8487

        SHA256

        344efb1f63e5ca99558a5b45e8462188447fef13252213761b61a2825919e410

        SHA512

        f93470597cb77156188de0f5675ae1e4d9b09f3b2ff744ad43b96fb2418e2452624a128c656fd5b26b435ac5dc8efaaaab52ad5dc9dc03017f67d1438da04305