Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 21:29
Behavioral task
behavioral1
Sample
FNknoxV1 (1).rar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
FNknoxV1 (1).rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
FNknoxV1.exe
Resource
win7-20240419-en
General
-
Target
FNknoxV1 (1).rar
-
Size
7.1MB
-
MD5
54ee74680681d2af21e9fb0bd1cef8e3
-
SHA1
d44b497e033bb3e0b6eea587e9857d6096741a97
-
SHA256
bccfea0aa1f93962c5e794076f9a1da37fa67114cf88809a3f65f6ae8bb44655
-
SHA512
32bf6d6aed84dfb68ef6b798394cb455e13d493ca716a419cc9099601e5a374a6ddd9f7a9b7f0f66ebf4e1f5cbe4fd3b4cec4324f52f23d3a0f031fb595e1021
-
SSDEEP
196608:P0ppKTn4gYSk0FqNfrRFmgbmY7Qw93lXo/8X4M3St19:P0pwUTSk0FqNftFP97193FVXJ619
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2976 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2976 vlc.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe 2976 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2976 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 1276 wrote to memory of 2652 1276 cmd.exe rundll32.exe PID 1276 wrote to memory of 2652 1276 cmd.exe rundll32.exe PID 1276 wrote to memory of 2652 1276 cmd.exe rundll32.exe PID 2652 wrote to memory of 2472 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 2472 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 2472 2652 rundll32.exe rundll32.exe PID 2472 wrote to memory of 2976 2472 rundll32.exe vlc.exe PID 2472 wrote to memory of 2976 2472 rundll32.exe vlc.exe PID 2472 wrote to memory of 2976 2472 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FNknoxV1 (1).rar"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FNknoxV1 (1).rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FNknoxV1 (1).rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\FNknoxV1 (1).rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2976