Analysis Overview
SHA256
7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
Threat Level: Known bad
The file FastAimX64.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Possible privilege escalation attempt
Disables Task Manager via registry modification
Modifies file permissions
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-01 05:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win7-20240611-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win10v2004-20240508-en
Max time kernel
42s
Max time network
51s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4600 wrote to memory of 4952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4600 wrote to memory of 4952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 4952 wrote to memory of 1896 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4952 wrote to memory of 1896 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4600 wrote to memory of 1612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
| PID 4600 wrote to memory of 1612 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\curl.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install_python.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\system32\curl.exe
curl -L -o python-installer.exe https://www.python.org/ftp/python/+FullyQualifiedErrorId/python-+FullyQualifiedErrorId-amd64.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.python.org | udp |
| US | 8.8.8.8:53 | www.python.org | udp |
Files
memory/1896-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp
memory/1896-1-0x000001CEFD0F0000-0x000001CEFD112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfby1dl3.wsn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1896-11-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/1896-12-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/1896-13-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/1896-16-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/1896-17-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
47s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" | C:\Windows\System32\WormLocker2.0.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WormLocker2.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WormLocker2.0.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File created | C:\Windows\System32\LogonUItrue.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\LogonUItrue.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File created | C:\Windows\System32\LogonUI.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\LogonUIinf.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\ransom_voice.vbs | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\WormLocker2.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe
"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
C:\Windows\System32\WormLocker2.0.exe
"C:\Windows\System32\WormLocker2.0.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x3fc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/928-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp
memory/928-1-0x0000000000250000-0x00000000002A6000-memory.dmp
memory/928-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Windows\System32\WormLocker2.0.exe
| MD5 | 041aa5e99ae545dac5f9306bb20d869e |
| SHA1 | 88ea126645bfd418abba44cca4a16adf12084d2f |
| SHA256 | 830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73 |
| SHA512 | 4b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c |
memory/536-21-0x0000000000960000-0x0000000000982000-memory.dmp
memory/536-22-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/928-23-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Windows\System32\ransom_voice.vbs
| MD5 | c1f9613622f740c2f00c2fa8881ba7ba |
| SHA1 | bf3271720634bebb3c41ef2b33af525b62f931bc |
| SHA256 | d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b |
| SHA512 | 49e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615 |
memory/536-97-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6835D4BB44574040A0AB5177E8458061.dat
| MD5 | 00a7e2bc2429a29d0b395c5241f23773 |
| SHA1 | 92c4b0571e13bde0669bd955626414a21e264d53 |
| SHA256 | 6cf5d282a4ca62e0bcf0737e66de9a039643defcbd8470faed5cf3879c182f07 |
| SHA512 | 1e8e88a318c5590cfaf4cc585fd12e7c65463a2ab2356f6249581128a46cec74e0387a2569980993631c4ce22bb61d2d3709751e276f829a2b54fbceea70eff4 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win7-20240419-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" | C:\Windows\System32\WormLocker2.0.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WormLocker2.0.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File created | C:\Windows\System32\LogonUItrue.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\LogonUItrue.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File created | C:\Windows\System32\LogonUI.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\LogonUIinf.exe | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
| File opened for modification | C:\Windows\System32\ransom_voice.vbs | C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WormLocker2.0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe
"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
C:\Windows\System32\WormLocker2.0.exe
"C:\Windows\System32\WormLocker2.0.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
Files
memory/1732-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp
memory/1732-1-0x0000000000C80000-0x0000000000CD6000-memory.dmp
memory/1732-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
C:\Windows\System32\WormLocker2.0.exe
| MD5 | 041aa5e99ae545dac5f9306bb20d869e |
| SHA1 | 88ea126645bfd418abba44cca4a16adf12084d2f |
| SHA256 | 830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73 |
| SHA512 | 4b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c |
memory/2572-13-0x0000000001260000-0x0000000001282000-memory.dmp
memory/1732-14-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
C:\Windows\System32\ransom_voice.vbs
| MD5 | c1f9613622f740c2f00c2fa8881ba7ba |
| SHA1 | bf3271720634bebb3c41ef2b33af525b62f931bc |
| SHA256 | d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b |
| SHA512 | 49e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1952 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1952 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1804 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1804 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1804 wrote to memory of 2212 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install_python.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
Network
Files
memory/2212-4-0x000007FEF53EE000-0x000007FEF53EF000-memory.dmp
memory/2212-6-0x0000000002A60000-0x0000000002A68000-memory.dmp
memory/2212-5-0x000000001B490000-0x000000001B772000-memory.dmp
memory/2212-7-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2212-8-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2212-10-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2212-9-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2212-11-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
memory/2212-12-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win7-20240611-en
Max time kernel
123s
Max time network
129s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MyApp\blx.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MyApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\install_python.bat | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\install.bat | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\creal.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install_python.bat""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install.bat""
Network
Files
C:\Program Files (x86)\MyApp\install_python.bat
| MD5 | f30718a354e7cc104ea553ce5ae2d486 |
| SHA1 | 3876134e6b92da57a49d868013ed35b5d946f8fd |
| SHA256 | 94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966 |
| SHA512 | 601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874 |
C:\Program Files (x86)\MyApp\install.bat
| MD5 | c8774911b9bddd3fccb91264d715c7ba |
| SHA1 | 132c223574d1d947ef259238ffc3820ddb525492 |
| SHA256 | a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350 |
| SHA512 | 9bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-01 05:54
Reported
2024-07-01 05:57
Platform
win10v2004-20240611-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\MyApp\install.bat | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\creal.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\blx.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\python-installer.exe | C:\Windows\SysWOW64\curl.exe | N/A |
| File created | C:\Program Files (x86)\MyApp\install_python.bat | C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install_python.bat""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2708 -ip 2708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 2776
C:\Windows\SysWOW64\curl.exe
curl -L -o python-installer.exe https://www.python.org/ftp/python//python--amd64.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install.bat""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.python.org | udp |
| US | 151.101.188.223:443 | www.python.org | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 151.101.188.223:443 | www.python.org | tcp |
| US | 8.8.8.8:53 | 223.188.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Program Files (x86)\MyApp\install_python.bat
| MD5 | f30718a354e7cc104ea553ce5ae2d486 |
| SHA1 | 3876134e6b92da57a49d868013ed35b5d946f8fd |
| SHA256 | 94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966 |
| SHA512 | 601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874 |
memory/2708-7-0x00000000741CE000-0x00000000741CF000-memory.dmp
memory/2708-8-0x0000000002150000-0x0000000002186000-memory.dmp
memory/2708-9-0x0000000004FA0000-0x00000000055C8000-memory.dmp
memory/2708-10-0x00000000741C0000-0x0000000074970000-memory.dmp
memory/2708-11-0x00000000741C0000-0x0000000074970000-memory.dmp
memory/2708-12-0x0000000004BE0000-0x0000000004C02000-memory.dmp
memory/2708-13-0x0000000004C80000-0x0000000004CE6000-memory.dmp
memory/2708-14-0x0000000004CF0000-0x0000000004D56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uvqiis5.nkc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2708-24-0x00000000055D0000-0x0000000005924000-memory.dmp
memory/2708-25-0x0000000005A80000-0x0000000005A9E000-memory.dmp
memory/2708-26-0x0000000005AC0000-0x0000000005B0C000-memory.dmp
memory/2708-27-0x00000000072D0000-0x000000000794A000-memory.dmp
memory/2708-28-0x0000000005F90000-0x0000000005FAA000-memory.dmp
memory/2708-29-0x00000000741C0000-0x0000000074970000-memory.dmp
C:\Program Files (x86)\MyApp\python-installer.exe
| MD5 | 8eec510e57f5f732fd2cce73df7b73ef |
| SHA1 | 3c0af39ecb3753c5fee3b53d063c7286019eac3b |
| SHA256 | 55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0 |
| SHA512 | 73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574 |
C:\Program Files (x86)\MyApp\install.bat
| MD5 | c8774911b9bddd3fccb91264d715c7ba |
| SHA1 | 132c223574d1d947ef259238ffc3820ddb525492 |
| SHA256 | a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350 |
| SHA512 | 9bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d |