1444cbfe94b53fff18cb73596933875dc9d947f18ccf8e8501a18ab0ba65cea0

Analysis

max time kernel
98s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24/08/2024, 01:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FN.Rage loader.exe
Size

1004KB
MD5

516d0366a1d2ec34ae0bc178fc36fdfe
SHA1

8a280d3d527f1e9a2d7f2281b628d777d9932ccd
SHA256

1444cbfe94b53fff18cb73596933875dc9d947f18ccf8e8501a18ab0ba65cea0
SHA512

ad56a988838ee962e41316e6802bd7bab8b58a377c7925eecb98eae20f8d1c465d31b408dc78dfa9312fa367206d47d34f8f1457fc3044b98401768fb50f0930
SSDEEP

24576:MNIfFV1LQ/llSJ5oBhob9y1Nn/PG1WcKnfuGKFN89cy:M6EaK8aUsnOGc

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1492	sc.exe
900	sc.exe
2120	sc.exe
5068	sc.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
1128	taskkill.exe
4728	taskkill.exe
2196	taskkill.exe
1604	taskkill.exe
4160	taskkill.exe
1044	taskkill.exe
4164	taskkill.exe
2216	taskkill.exe
1892	taskkill.exe
1628	taskkill.exe
1960	taskkill.exe
2484	taskkill.exe
752	taskkill.exe
108	taskkill.exe
4744	taskkill.exe
4724	taskkill.exe
472	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe
4396	FN.Rage loader.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	472	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4832	4396	FN.Rage loader.exe	82
PID 4396 wrote to memory of 4832	4396	FN.Rage loader.exe	82
PID 4396 wrote to memory of 1900	4396	FN.Rage loader.exe	83
PID 4396 wrote to memory of 1900	4396	FN.Rage loader.exe	83
PID 1900 wrote to memory of 4164	1900	cmd.exe	84
PID 1900 wrote to memory of 4164	1900	cmd.exe	84
PID 4396 wrote to memory of 4988	4396	FN.Rage loader.exe	86
PID 4396 wrote to memory of 4988	4396	FN.Rage loader.exe	86
PID 4988 wrote to memory of 752	4988	cmd.exe	87
PID 4988 wrote to memory of 752	4988	cmd.exe	87
PID 4396 wrote to memory of 3040	4396	FN.Rage loader.exe	88
PID 4396 wrote to memory of 3040	4396	FN.Rage loader.exe	88
PID 3040 wrote to memory of 1492	3040	cmd.exe	89
PID 3040 wrote to memory of 1492	3040	cmd.exe	89
PID 4396 wrote to memory of 2416	4396	FN.Rage loader.exe	90
PID 4396 wrote to memory of 2416	4396	FN.Rage loader.exe	90
PID 2416 wrote to memory of 1128	2416	cmd.exe	91
PID 2416 wrote to memory of 1128	2416	cmd.exe	91
PID 4396 wrote to memory of 2400	4396	FN.Rage loader.exe	93
PID 4396 wrote to memory of 2400	4396	FN.Rage loader.exe	93
PID 2400 wrote to memory of 4728	2400	cmd.exe	94
PID 2400 wrote to memory of 4728	2400	cmd.exe	94
PID 4396 wrote to memory of 4984	4396	FN.Rage loader.exe	95
PID 4396 wrote to memory of 4984	4396	FN.Rage loader.exe	95
PID 4984 wrote to memory of 2216	4984	cmd.exe	96
PID 4984 wrote to memory of 2216	4984	cmd.exe	96
PID 4396 wrote to memory of 5100	4396	FN.Rage loader.exe	97
PID 4396 wrote to memory of 5100	4396	FN.Rage loader.exe	97
PID 4396 wrote to memory of 2440	4396	FN.Rage loader.exe	98
PID 4396 wrote to memory of 2440	4396	FN.Rage loader.exe	98
PID 4396 wrote to memory of 1056	4396	FN.Rage loader.exe	99
PID 4396 wrote to memory of 1056	4396	FN.Rage loader.exe	99
PID 4396 wrote to memory of 4320	4396	FN.Rage loader.exe	100
PID 4396 wrote to memory of 4320	4396	FN.Rage loader.exe	100
PID 4396 wrote to memory of 4920	4396	FN.Rage loader.exe	101
PID 4396 wrote to memory of 4920	4396	FN.Rage loader.exe	101
PID 4396 wrote to memory of 776	4396	FN.Rage loader.exe	102
PID 4396 wrote to memory of 776	4396	FN.Rage loader.exe	102
PID 4396 wrote to memory of 3848	4396	FN.Rage loader.exe	103
PID 4396 wrote to memory of 3848	4396	FN.Rage loader.exe	103
PID 4320 wrote to memory of 900	4320	cmd.exe	104
PID 4320 wrote to memory of 900	4320	cmd.exe	104
PID 2440 wrote to memory of 1892	2440	cmd.exe	105
PID 2440 wrote to memory of 1892	2440	cmd.exe	105
PID 3848 wrote to memory of 1204	3848	cmd.exe	106
PID 3848 wrote to memory of 1204	3848	cmd.exe	106
PID 3848 wrote to memory of 2784	3848	cmd.exe	107
PID 3848 wrote to memory of 2784	3848	cmd.exe	107
PID 3848 wrote to memory of 2212	3848	cmd.exe	108
PID 3848 wrote to memory of 2212	3848	cmd.exe	108
PID 5100 wrote to memory of 108	5100	cmd.exe	109
PID 5100 wrote to memory of 108	5100	cmd.exe	109
PID 4920 wrote to memory of 2196	4920	cmd.exe	110
PID 4920 wrote to memory of 2196	4920	cmd.exe	110
PID 1056 wrote to memory of 1628	1056	cmd.exe	111
PID 1056 wrote to memory of 1628	1056	cmd.exe	111
PID 4396 wrote to memory of 844	4396	FN.Rage loader.exe	112
PID 4396 wrote to memory of 844	4396	FN.Rage loader.exe	112
PID 4396 wrote to memory of 1792	4396	FN.Rage loader.exe	113
PID 4396 wrote to memory of 1792	4396	FN.Rage loader.exe	113
PID 4396 wrote to memory of 4512	4396	FN.Rage loader.exe	114
PID 4396 wrote to memory of 4512	4396	FN.Rage loader.exe	114
PID 4396 wrote to memory of 1572	4396	FN.Rage loader.exe	115
PID 4396 wrote to memory of 1572	4396	FN.Rage loader.exe	115

C:\Users\Admin\AppData\Local\Temp\FN.Rage loader.exe
"C:\Users\Admin\AppData\Local\Temp\FN.Rage loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 05
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\FN.Rage loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\FN.Rage loader.exe" MD5
    3⤵
    PID:1204
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2784
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1572
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:4264
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:2868
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2152
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4504
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3984
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /IM HTTPDebuggerSvc.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
  2⤵
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1756