fba509ba07a29466d86198a4294961965ad8ef384a62da72e5b01516694fbe43

Analysis

max time kernel
141s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:01

Target

WBNS X FNF V1/WBNS X FNF.exe
Size

28.4MB
MD5

6363f1655dea5d8e05fb45f47c3d1918
SHA1

206e917a0a200122e9c05e72abf7e3fdedd0b5f2
SHA256

054ce19254564fb7eb7576c406d236c69accf3241bb6345ba99f81a427054f3a
SHA512

59036e75783dcac73c96f647f81a4840fd4272b21432a077153e4ddea29cc2c6157af023977e09bdcf8c1658217daafed368e7a8deeef52dfd753950ff412b45
SSDEEP

196608:aFkygtjTC0JkKMV6/GiuHUbOkWSBn7PgPyNgNwxtnNULQNv81mU:ekymje0JXRgHUbtn0PyyWtnNULQJ81

Score

6^/10

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
14 raw.githubusercontent.com

flow	ioc
15	raw.githubusercontent.com
14	raw.githubusercontent.com

Modifies registry class 9 IoCs

Processes:

WBNS X FNF.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205	WBNS X FNF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\URL Protocol	WBNS X FNF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WBNS X FNF V1\\WBNS X FNF.exe"	WBNS X FNF.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\shell\open\command	WBNS X FNF.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\shell	WBNS X FNF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WBNS X FNF V1\\WBNS X FNF.exe"	WBNS X FNF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\ = "URL:Run game 863222024192262205 protocol"	WBNS X FNF.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\DefaultIcon	WBNS X FNF.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\discord-863222024192262205\shell\open	WBNS X FNF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3268 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3268 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WBNS X FNF.exe

pid process

744 WBNS X FNF.exe

description	pid	process
Token: 33	3268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3268	AUDIODG.EXE

pid	process
744	WBNS X FNF.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

memory/744-4-0x00007FFB15870000-0x00007FFB15B25000-memory.dmp

Filesize
2.7MB

Download
memory/744-3-0x00007FFB20180000-0x00007FFB201B4000-memory.dmp

Filesize
208KB

Download