c65fbeeb19e8ffe3f794dd544812c9626bd23f5c3a685897307f43c45270786c

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe
Size

22.6MB
MD5

f405a45c4ecd213fded56e340298c9d6
SHA1

73ee6bdc0b4175894fd23d58fe4696997288e7ca
SHA256

b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b
SHA512

3db273d29319f8c41eb7a94098b480caf1b19bdd710471688d2e0d7b587d3cc2572c62ee0f917cc282c48405771374bca86d4138bf3d803960e6b3bb6f0abae4
SSDEEP

393216:Lt1OnpMR8K/HxAhnUMsXCSqOfkjABM96q7oGfM58Q5rm+qmpQo69rZkxPTWl3cdC:LtyO/Hx4UhO0hMAngM58crm4pk9rZkxo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1576	FnF Simulator.exe

Loads dropped DLL 1 IoCs

pid	Process
1576	FnF Simulator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1576	FnF Simulator.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1256	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1576	FnF Simulator.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 1576	3392	b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe	86
PID 3392 wrote to memory of 1576	3392	b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe	86
PID 3392 wrote to memory of 1576	3392	b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe	86

C:\Users\Admin\AppData\Local\Temp\b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe
"C:\Users\Admin\AppData\Local\Temp\b3796a101c5472ec92ed408404994548910bcae44a8f6d05925785b914dc7c4b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FnF Simulator.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FnF Simulator.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FnF Simulator.exe

Filesize
3.7MB

MD5
f79a74a03092918377d3c0c5d080d571

SHA1
4821f2e8e64e327f4b08fd690315f99a1e7497c3

SHA256
3612028170742e6533b98215545d9c4e6d8a26a119f48b739b7a98c1158bdd7b

SHA512
f3f094ec932e8901a3861845e878d79bc9e82156cdb5ef1d479b4d7222ece3a543649fd58fa7e0c320cfc28257eb2ec370a7c44622a3149d17111d5dfe22f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\data.win

Filesize
22.6MB

MD5
ec4410c30dd053e2b433a38df0923e5f

SHA1
e341469afad91621ea7e44fab372b44eff417cbd

SHA256
2ead88fde9a959ea7c89363470270a3bec7684a49331016aec024f43d6f7406f

SHA512
d4bc6b6af8871b56e13f180904500e72a1c27e38c68db855c91b6a0b6c60542c9094ef1e88f8839aa2c8770bd6b8f6c9efc96cc97b2f45c9ffa9b77daaaa48c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\options.ini

Filesize
97B

MD5
396f73a1185a5642f5f1e2538b64396a

SHA1
d72d687a5a1258986f218bfccacc6118c39ec4f9

SHA256
e267293f58d257d2dd1e00ad25425bdb798fcbf75256a7d45b7d7086159dbc58

SHA512
e17cfca14ce79c71eea01973385fa4151989d40bfc5a04b97fd3534ff5b4f04b385d11867d80a60325aa0bd13403910fee73ab9379f0e05c669d24d5d95957da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\select.ogg

Filesize
5KB

MD5
46ab9ab569bbffc2a73395c0ff100c18

SHA1
2921200b46bfd7371a92fa97335733910a4a655e

SHA256
9042ca40b2d258fd584e0734fc0a69e180ff658062bac92f0bbd215be7939c04

SHA512
08f3ec6ae4cc8d917e9516c7ae59f3af600f8f39fcbdba30d9cc98b1e4614ac080bd51ed06a5a6b8f7613d929b0558364de0b97ddbd4178078b554a51b299bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\snd_title.ogg

Filesize
68KB

MD5
cd3ceb809223008bbe408efb380aaa17

SHA1
85e2f758335a2f454568426b9bb782a60ca82639

SHA256
88bd4e2dac44af0c4ea866e82505062e43453fb14ef01e802aeeaaa39f29a36d

SHA512
52ab06d3869921267d2354d9ca335dd13322115648f7a6b9ee8580587006e91b6442cd470e5ceae5440a77039671d1d4680b70f207f6cc20625991097ea6fecc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads