79e4d9441a7cef75238ceb7ded0fb18b3167541d6657beefbc013365736cd258

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5FOV-Release.exe
Size

1.1MB
MD5

265ce24d394c77f43e36d6bbdcfec6c4
SHA1

9a6cec2a60016fd830729956f11665bec6f8da8c
SHA256

78ee03375ccaa26cbaaf80ff81713e3e98c573dfc1f3c0c87ba286863e980f5f
SHA512

f66b194d3b8c68310e62e3777e22f3bbc8d46b9da9e6a82460af1b8f245a5d048822b5f84d5b37b872f77e3c8adc3ab9efbf563e4f555e65c748226529870d70
SSDEEP

12288:U7yY1x8bUNCjB0AcKK8Rcyar+/DJtr+03UqJfagOmmfdMOD8fQE707I4:U7y+NdAcKK8q+bJtr+Q/O7iOwQ0G

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LIbcPKYTmGjhEmdUNCgHE\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\LIbcPKYTmGjhEmdUNCgHE"	5FOV-Release.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2244	5FOV-Release.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5080	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2244	5FOV-Release.exe
2244	5FOV-Release.exe
3732	msedge.exe
3732	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5080	vlc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2244	5FOV-Release.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2244	5FOV-Release.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5080	vlc.exe
5080	vlc.exe
5080	vlc.exe
5080	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5080	vlc.exe
5080	vlc.exe
5080	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5080	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3396	2244	5FOV-Release.exe	85
PID 2244 wrote to memory of 3396	2244	5FOV-Release.exe	85
PID 2944 wrote to memory of 1964	2944	msedge.exe	116
PID 2944 wrote to memory of 1964	2944	msedge.exe	116
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 1412	2944	msedge.exe	117
PID 2944 wrote to memory of 3732	2944	msedge.exe	118
PID 2944 wrote to memory of 3732	2944	msedge.exe	118
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119
PID 2944 wrote to memory of 4924	2944	msedge.exe	119

C:\Users\Admin\AppData\Local\Temp\5FOV-Release.exe
"C:\Users\Admin\AppData\Local\Temp\5FOV-Release.exe"
1⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color a
  2⤵
  PID:3396

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DismountConfirm.wav"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultabefc062h17dah4093hbdd1h3754cb741505
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa68a946f8,0x7ffa68a94708,0x7ffa68a94718
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,16206884244486039257,10063416701304793063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,16206884244486039257,10063416701304793063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,16206884244486039257,10063416701304793063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9c310df8-3463-4e5f-9964-81db75a19446.tmp

Filesize
8KB

MD5
50751bdd27bf87b85d46ee7708a0373d

SHA1
a1ed41259152056aeec612c7eb05d8583a7195dc

SHA256
990c2619ec3735a7ce200c17e51665345719aaa4216dd6c42fbeb6cc4610ef3d

SHA512
610e85cbdcf6a7cecaffebfb57c6be390656c2574283997d5dd4ee9b3af89c91c347afdfaf05ef74c0bda5a93433ad1dc5faf57db30e49579ca5dcbf2857d023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eeb90ffb-853b-484d-a35f-1a84c1b22128.tmp

Filesize
5KB

MD5
4c8d3eb6f56b21a8ddeb1957c422a9eb

SHA1
103e668db09c531f093f408664c0c2faa49385b1

SHA256
c7e7a3e405febd56410c5716ae70a9b822c2016bbd6d774622c30ea7de93b6cd

SHA512
ead37ddc1c3ffe0a3d2c0a660bb7b74c804bf18516a8b8257423060dc86df745af904ae8b3426f4ea476724e2b02c819e3ef032db3b26c7338e47d5261cd1713

Download Submit
memory/2244-13-0x00007FFA6BEF9000-0x00007FFA6C568000-memory.dmp

Filesize
6.4MB

Download
memory/2244-22-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-4-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-3-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-8-0x0000016EB9D50000-0x0000016EB9D53000-memory.dmp

Filesize
12KB

Download
memory/2244-9-0x00007FFA6BEF9000-0x00007FFA6C568000-memory.dmp

Filesize
6.4MB

Download
memory/2244-10-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-12-0x0000016EBB650000-0x0000016EBB699000-memory.dmp

Filesize
292KB

Download
memory/2244-1-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-16-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-18-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-6-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-23-0x00007FFA6BEF9000-0x00007FFA6C568000-memory.dmp

Filesize
6.4MB

Download
memory/2244-5-0x0000016EBB650000-0x0000016EBB699000-memory.dmp

Filesize
292KB

Download
memory/2244-7-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-0-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/2244-2-0x00007FFA6BBB0000-0x00007FFA6C585000-memory.dmp

Filesize
9.8MB

Download
memory/5080-34-0x00007FFA68940000-0x00007FFA699F0000-memory.dmp

Filesize
16.7MB

Download
memory/5080-33-0x00007FFA6C0B0000-0x00007FFA6C366000-memory.dmp

Filesize
2.7MB

Download
memory/5080-31-0x00007FF759660000-0x00007FF759758000-memory.dmp

Filesize
992KB

Download
memory/5080-32-0x00007FFA7EE90000-0x00007FFA7EEC4000-memory.dmp

Filesize
208KB

Download