3b5553d1fa7f0d92293b3a43e5ef992581b0492c27768c7648c172908189c8fd

Analysis

max time kernel
37s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fniarebooteddemo.exe
Size

258.2MB
MD5

f444fb2fc0f77840ed7bc87dc8fbd091
SHA1

630daca8ae307fb3fe3d2831e15e22efe0e94ac5
SHA256

3b5553d1fa7f0d92293b3a43e5ef992581b0492c27768c7648c172908189c8fd
SHA512

27d2f7f102629dff3c541be1dad1d84c0de0bec2eb130079ca4a2b3e2850f7089e237ad48a9e954fbf0f3ad82701dd64afa78adba16a88b0195eca7f6b2c4e95
SSDEEP

6291456:KPE7PWm3RT7ge3IZ9QoKQbGhkdAqawh4uqocp:KPs3geIrQoKgdAqawh4Rocp

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe
2440	fniarebooteddemo.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fniarebooteddemo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5092	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\fniarebooteddemo.exe
"C:\Users\Admin\AppData\Local\Temp\fniarebooteddemo.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\Easing.mfx

Filesize
341KB

MD5
3920bb2225392a9c9fff0341d5629fb1

SHA1
f343ea16abbca4719fef5ff1dfa0847032ca9b96

SHA256
2005746083dbf962c0d22eda7a09ca065429f3d3f282129cc6c8b7295535ee75

SHA512
c162265eb220daaa36b478235f1ea8f1e6565a25584b568444fa89a59f1c3aa3778312fcb866a95fb320f1fc832045feff62ef7d8dac4ae4d79b9631a0094f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\cctrans.dll

Filesize
141KB

MD5
ce3a36f85d2ea504b6d19c5f366c3f47

SHA1
972629c730b65c17ac2c751aafeb612d0c7432f2

SHA256
55e75e784e436cccd978192fba869656f879f0f126e99b375c3849c99872ec56

SHA512
c6df293b4373552c3165ac27f2070973a8278bc72001a8c10f300ea30699a03811dc6a84864ff22aaa2b35d1ec75d41ceb2a8fee85b5404d4a5bbfd8333f248c

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\fontembed.mfx

Filesize
15KB

MD5
f38352c344bd71eb21a78a1b69dcade8

SHA1
eca1053fa4ce77f96752f400d4ffac8f2f158d15

SHA256
38b5dba1524e47ff474d29bb0fb3d7b0476e554cdb82f2de09c4a761ab5645b1

SHA512
70134d7e2d4c589fc3ca5c52e005852d07e6b3cce91db00d32bf121611480601d007ead98c3e2febfdd1ca03a0c723fa46e9b73c0f497b315a6cdcb9f15afd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
72bb9180f8905c0da95566b778cdac5e

SHA1
e96145e8120514092b35f67f1f120b958997f921

SHA256
3cde7a9181ab63a42cd3535d279d0ab1397b7b78fa3ddddef832757ab2024101

SHA512
c2c8d8c74c53a78545e69f27a7fe1a6d1291888158962e93e16e6ec9950f86e74c68bd2eb50d04db0bff58e8dc93455aa384245991c5afe34abee36fef53710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\mmfs2.dll

Filesize
510KB

MD5
1e0e5acec2f2d3567c40491e39aa8f50

SHA1
101ec3bbd32c005b12b38c0f7988faa9329a019f

SHA256
6c9ff6036404e71b0bc2c12bc739eeef0d9200925f5796487af2aa4ef5c5ef97

SHA512
80bbdd2dcc44494a53b14098b7e99db7c20b40650938454105b423e70906ad7371274ed73d3fccd114b9396112a695aebf37f6916976a972154cd562d10e01de

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\mp3flt.sft

Filesize
24KB

MD5
dadc138be9d36e6e4b8e4bf9ef2de4bc

SHA1
2758db786c544ec7889f26edf9bc4634c9240af0

SHA256
ddeafda7b28bf7545e3ba164aa4a74219eb961c36bb974e0f5085a07daf18f44

SHA512
63a21c5eda225c7fb8a67595c3180d4fdc1bc37d3b45f839e1b562ef946bf5b2237a9ff17c3f6f5de489779bbb9652ac2a1a74b83f153883bd436756acf249e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d5c33b-5fc7-43db-b3e5-9edd126e972a.FusionApp\waveflt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/2440-22-0x0000000002360000-0x00000000023B9000-memory.dmp

Filesize
356KB

Download