Overview
overview
7Static
static
7Flash Play...er.exe
windows10-1703-x64
7Flash Play...er.exe
ubuntu-24.04-amd64
$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
ubuntu-24.04-amd64
$TEMP/aeac...up.exe
windows10-1703-x64
3$TEMP/aeac...up.exe
ubuntu-24.04-amd64
$TEMP/aeac...ata.js
windows10-1703-x64
3$TEMP/aeac...ata.js
ubuntu-24.04-amd64
1$TEMP/aeac...x.html
windows10-1703-x64
1$TEMP/aeac...x.html
ubuntu-24.04-amd64
$TEMP/aeac...PIE.js
windows10-1703-x64
3$TEMP/aeac...PIE.js
ubuntu-24.04-amd64
1$TEMP/aeac...app.js
windows10-1703-x64
3$TEMP/aeac...app.js
ubuntu-24.04-amd64
1$TEMP/aeac...min.js
windows10-1703-x64
3$TEMP/aeac...min.js
ubuntu-24.04-amd64
1Analysis
-
max time kernel
77s -
max time network
78s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-06-2024 18:38
Behavioral task
behavioral1
Sample
Flash PlayerInstaller.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Flash PlayerInstaller.exe
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral5
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/Setup.exe
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral7
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/data.js
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/data.js
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral9
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/index.html
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/index.html
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral11
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/css/PIE.js
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/css/PIE.js
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral13
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/js/app.js
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/js/app.js
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral15
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/js/formcontrols.min.js
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
$TEMP/aeac2814-61bf-4a12-8b11-c5ea3cfa382c/web/js/formcontrols.min.js
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
Flash PlayerInstaller.exe
-
Size
504KB
-
MD5
ac3638b216ba347743bf3cdcfc87459a
-
SHA1
3f33de8c47b5bf38380d89913279b9475f113bc5
-
SHA256
cc5d6a66049d1923450c1660e434d85ab3fb96d6266e2ebec80429a19d4579b5
-
SHA512
99184b1bd6f3992ea78bd2c89a3a93593a7e7ed9f1bbe757ff59fa76dc59507c3e6045d7048408d9c7a6e7c26ce6579349ed5fad38b2a62342483627ede27ba0
-
SSDEEP
12288:aj8V2ZRQBohPtt8iClB38wYI8haQRSQlQft/8oI1sruo4njdKv0H:c8V2ZRQBiLE8Im2ft/qGugv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 2604 Setup.exe -
Loads dropped DLL 1 IoCs
Processes:
Flash PlayerInstaller.exepid process 4420 Flash PlayerInstaller.exe -
Processes:
resource yara_rule behavioral1/memory/4420-0-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/4420-41-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3056 2604 WerFault.exe Setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Setup.exepid process 2604 Setup.exe 2604 Setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Flash PlayerInstaller.exedescription pid process target process PID 4420 wrote to memory of 2604 4420 Flash PlayerInstaller.exe Setup.exe PID 4420 wrote to memory of 2604 4420 Flash PlayerInstaller.exe Setup.exe PID 4420 wrote to memory of 2604 4420 Flash PlayerInstaller.exe Setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Flash PlayerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\Flash PlayerInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\Setup.exe"aeac2814-61bf-4a12-8b11-c5ea3cfa382c\Setup.exe" "C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\index.html"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 15003⤵
- Program crash
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\Setup.exeFilesize
821KB
MD5f517e343fc5d364856d71fe477b34094
SHA1507eecf79302cb2f31521638ad28f6035b0f92eb
SHA256fb43823612d7d6c9efef26ad685f720e0e007fcad6379dbe1e002fa18242e908
SHA512424da125281693651beaf4b324b5cb3d1eee4445e7c21d3d05785e4b147f27b63c0c21dcd52ed605bc22b32f79a778eef58a9ad24c2896179be60c639b2b6340
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data.jsFilesize
81KB
MD529e08e5f8df1a8e6fee050f8b5fd9c0c
SHA1197fd5fa4d96fd06c5c020fe64c1b8c1edf1973a
SHA256aec29a48a3a54828661f8351c863175bd9ceeb15dff565146ffa7664646622dd
SHA5125432c833b0ea2616c1da9a1657f87c2737b254a509ee739c16a1c7d4bc8e740a8769843e672ee833c61a8cf74d141d89ed0d8240ae1fd57b2918a64b2a242490
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data0.jsFilesize
255B
MD53089dc394d4ca4ac85bf220902a7fc39
SHA1768dcba1c6166317ab4e5979a2ede8afbfe20ee3
SHA25670ec36ea666c234df7231315edaa24c8a2158e9ed1786116a43960ae4d185292
SHA5123b9ea300ba175d4af24f2b2ddd8c6252ea829b590961cb07c2393d518e69e0bb72cbe70778fff14d6d8b03a3567c36bf1de5400e477cdd3d0a5a4781051e89b2
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\index.htmlFilesize
489B
MD5263e7937ad144efa91dc45e29a4238c5
SHA1baab29f7377b9bd43175d6e6cf0a7e317f3f3e48
SHA256b5f7d03b8819dbcef07a1cb98522e76e5f89770519cfca0d7799f711a579f7a5
SHA5121308bd31e98a67ca909a96ad46858bc5ff51774b88ea5934495dfe1bfd8312bfd86d0d01adb1cc4027a4bb15dc9b5e9965f45ba860eb25ec4d489e16b68014af
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\main.cssFilesize
2KB
MD5f831bb398578407ecfb03ac2ac12a725
SHA1b4ccf4aa0ac4f796e5d4f0f7e1f5004c1173c31a
SHA256ed577dffdb0291e142ff6d1c4a00d03d0c98482ee5c3fc12ed7585a19e2300a9
SHA5122643a6386e2f80b678d2d66258486d63e66975507aab382f1564804bc02630792316c2d57dbd8849b107e8e24a9c05352633bedeb65c82553e13e6827a5cd48d
-
C:\Users\Admin\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js\app.jsFilesize
126KB
MD502e40106b372a0318f1e5360fbfc6304
SHA1e257489168b3b3f1eb3433622e48da5abfd15b9c
SHA25669c056b13b2d03199bf67833e772c9bb4547dfc8ccb6e304fbbb36bdcecf3bd9
SHA512978543a567c3f3630f31141ece5b4bb68ef78f6e007251450412c9eee4ca06f4ca385352b4299ba84fdbf3ee220052a5fda6711d02f855ccef1e4b0fcdba4713
-
\Users\Admin\AppData\Local\Temp\nsl883D.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
memory/2604-35-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/2604-42-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/2604-45-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/4420-0-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4420-41-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB