Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Resource
win10v2004-20240426-en
General
-
Target
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
-
Size
22.1MB
-
MD5
eec7acb2566e097fd6b4315c16a83e8e
-
SHA1
c16df7bf24443f63b05bbe4cae7739eddb54bd1c
-
SHA256
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464
-
SHA512
7f68df8015f650963b1498c635260e0a22e33af520c8d8abc02d047a085964c486c5ea21307bb53dbb87d0e8ccf7a97f933b15044348ca49114b4b4baef7afb2
-
SSDEEP
196608:baXjzQFURtw0xOwM2g02RtwN7wq1W6HqULS8djZDTaNNeCKVP5ORsgQf4RtwST:IfQFeS0xPM2g5SN8qU6GOjQoxasPySST
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Immersive_Updater_CP_1.exeImmersive_Updater_CP_1.exepid process 2196 Immersive_Updater_CP_1.exe 2936 Immersive_Updater_CP_1.exe -
Loads dropped DLL 6 IoCs
Processes:
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exepid process 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe -
Modifies registry class 8 IoCs
Processes:
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe\" \"%1\"" 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.cpp1 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.cpp1\ = "ChasePlane_v1_Presets" 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\ = "ChasePlane v1 Presets" 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open\command 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exeImmersive_Updater_CP_1.exeImmersive_Updater_CP_1.exedescription pid process Token: SeDebugPrivilege 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Token: SeDebugPrivilege 2196 Immersive_Updater_CP_1.exe Token: SeDebugPrivilege 2936 Immersive_Updater_CP_1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exedescription pid process target process PID 1428 wrote to memory of 2196 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Immersive_Updater_CP_1.exe PID 1428 wrote to memory of 2196 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Immersive_Updater_CP_1.exe PID 1428 wrote to memory of 2936 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Immersive_Updater_CP_1.exe PID 1428 wrote to memory of 2936 1428 622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe Immersive_Updater_CP_1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe"C:\Users\Admin\AppData\Local\Temp\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe"C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe" isready silent "chaseplane|null|C:\Users\Admin\AppData\Local\Temp"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe"C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe" download silent "chaseplane|prod|C:\Users\Admin\AppData\Local\Temp"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57cfc32b57e4e56c20690515332517b6d
SHA1f4cf7a52580a1c7d68f3874773855e4f1ae4c705
SHA2567b11c494c05589bc52d358b64b78a4331a6f3c09763e659ee3a26e106f116e48
SHA51286a0986fbe8b5bf9d66327af1857c2dab7c616f1c287397b25284946e1eb0802e257069c5d8754265786c123fc65a725a268a32476c4331d02929818d1a06da0
-
C:\Users\Admin\AppData\Local\Temp\4e2f844d-613a-4e12-ae91-805483af6972\Microsoft.FlightSimulator.SimConnect.dll
Filesize106KB
MD5b9e0a00c2067cdf6b6e10a8f8225b3d0
SHA147f065036d771a560c4b3c52c4bb3cc04106f655
SHA25668e153c1be4c24939dd0136052a22dde9c22e056ee6931bc2d5b408a508002c2
SHA512854d07825549e0af96be8b70c1971460bbeacf9908e22bd642719359e5ac75f437ffeed47019f08704eb7b55283a1d5a93075b0e35276c6e31350b5a9ba22599
-
Filesize
3.2MB
MD5955ddb844ce2bf3d83990d0cfde4cd6a
SHA135da81e1decb21cb1c698035d5804379a0ebed21
SHA256f23ec20aeaec149ba963d1fb03af3ea1585ccdf1ac207f315361a80ceaadcc05
SHA5127392aeda6ef46458d5ecf8e56026c87fb37d46c2016ff39e988873ef8089abd1ec8ee976f4e23c09c1f0d1c9138556b77e17cae683202705a9bc8441724e4bf5
-
Filesize
3.2MB
MD537bf61c79b3bab0aadc74238777dda1d
SHA1cfdc947f98fbfb8915692fab0f3b08488b762e50
SHA256e215cca07bd868b59eafe1a397b20ec65723e6ea979de6a8849c2d7fd0972a1b
SHA5123e5d3e68c541f17f61892d4c242eece19eab9e584a2f46eab532907a27ab9f1dba0eccedfd3b36110061c9a852791a6e582115dc12d0a8bb0aebb9dcfc306a6f
-
Filesize
330B
MD5af98a85a22cee9343f2d859b06e8c648
SHA16d6cf3cfe83393624ed72db2fe1894df31379029
SHA2568f2c969d5fea922534600057da729c2d8534c52d72635b5e916cba684b1c09de
SHA512407e09b897178e6970240d687cb53e8ccbd527e5101f0d08371a17ca00f37f3a42d1bae63ccc93453e12d7b536198917a1cdc7244d9c533f7a6b74201fa36286