c12c9bb19d17f63cd8595b9a88c2c6913f6474c9d4c8b462e1dfa32a0f112535

Analysis

max time kernel
453s
max time network
455s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v.1.1/FA Installer v.1.1 .bat
Size

45KB
MD5

a8cf0b50a3f3df3e4fc55e2c9ecdddaa
SHA1

882b09a0f73a609f24f4cdb934ac302af832094f
SHA256

7f8327b3d6aeecb76a3fbe49c23633a5477f85e322ed1c1fc37225266b428f73
SHA512

9923d012c51c09bdff94fff6c307c433f60d9448b3e689c57aeb523b4f6a54858e8e5d72eeab9650f29c7ee2e47dd54ad447ec34ac1017fcf9ce732491dcb979
SSDEEP

768:pfidnSP9zSgqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iyy97+m6:ZRG9nf9tUc+nuxGIFwyKhTf+7Qaf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4372	1096	cmd.exe	85
PID 1096 wrote to memory of 4372	1096	cmd.exe	85
PID 1096 wrote to memory of 4136	1096	cmd.exe	86
PID 1096 wrote to memory of 4136	1096	cmd.exe	86
PID 1096 wrote to memory of 4868	1096	cmd.exe	87
PID 1096 wrote to memory of 4868	1096	cmd.exe	87
PID 1096 wrote to memory of 4512	1096	cmd.exe	88
PID 1096 wrote to memory of 4512	1096	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v.1.1\FA Installer v.1.1 .bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"
  2⤵
  PID:4372
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"
  2⤵
  PID:4136
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"
  2⤵
  PID:4868
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"
  2⤵
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FA_Antivira\FAinfo1.vbs

Filesize
84B

MD5
fad7cd2a49837444cde4548abdf478b6

SHA1
376a4ff6acc6ca44f2b660286633c5a31eddd764

SHA256
9c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda

SHA512
287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5

Download Submit
C:\FA_Antivira\FAinfo2.vbs

Filesize
87B

MD5
5a1fc5e5db483c5926a50ee931581cd9

SHA1
419644277a92e109d4ce6739a0d5e2d0ba8f2d42

SHA256
0f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab

SHA512
0351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240

Download Submit
C:\FA_Antivira\FAinfo3.vbs

Filesize
71B

MD5
a61c87927d31edff281df2818dde924d

SHA1
f076867cb0411e0c584f2f9052d4c1e550cd53b7

SHA256
9220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517

SHA512
ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970

Download Submit
C:\FA_Antivira\FAinfo4.vbs

Filesize
97B

MD5
d912098669bc85cc04cccf0248617120

SHA1
a817741d0ce4427cf0a0fceb7ba483972789fc60

SHA256
e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422

SHA512
578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48

Download Submit