Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 21:30
Behavioral task
behavioral1
Sample
FNknoxV1 (1).rar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
FNknoxV1 (1).rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
FNknoxV1.exe
Resource
win7-20240419-en
General
-
Target
FNknoxV1 (1).rar
-
Size
7.1MB
-
MD5
54ee74680681d2af21e9fb0bd1cef8e3
-
SHA1
d44b497e033bb3e0b6eea587e9857d6096741a97
-
SHA256
bccfea0aa1f93962c5e794076f9a1da37fa67114cf88809a3f65f6ae8bb44655
-
SHA512
32bf6d6aed84dfb68ef6b798394cb455e13d493ca716a419cc9099601e5a374a6ddd9f7a9b7f0f66ebf4e1f5cbe4fd3b4cec4324f52f23d3a0f031fb595e1021
-
SSDEEP
196608:P0ppKTn4gYSk0FqNfrRFmgbmY7Qw93lXo/8X4M3St19:P0pwUTSk0FqNftFP97193FVXJ619
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3012 OpenWith.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
OpenWith.exepid process 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe 3012 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\FNknoxV1 (1).rar"1⤵
- Modifies registry class
PID:4656
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3012
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2408