6e9cab5ac9495c9799c87056bdf570dc36a2e03eab08703ed659cc7b8b35ac12

General

Target

FOXAUTO V8/FoxAutoV8.exe
Size

17.1MB
MD5

1d54a576355df6926a7a2ef43a91b316
SHA1

26d9f73ceebb6e790d767d51921962e4eac9f8c8
SHA256

96d5de118289d25d3b8fbacf542ec7357d3a6aae61f8c953a07347654bc4ebc2
SHA512

67da0b995839413eef70247202c727e29c8635da21e234dbaf50ebc2311cabd86ff8931471811dc49b4e4eeafba79f1662cdc4281da51405ef97debf7e4bdf23
SSDEEP

393216:m3szf490qL2Vmd6m5FTodIn+LH/+zVbJR6f5zCbrZDBXRFq9Lgi0Gyu:m3szfm0qyVmdjTbJR6f5CHZDBXPq9Lg2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2400	Setup.exe
1988	Setup.exe
2916	FoxAutoV8 .exe
2680	svchost.exe
2736	svchost.exe
2920	FoxAutoV8 .exe

Loads dropped DLL 4 IoCs

pid	Process
1460	FoxAutoV8.exe
2300	Process not Found
2916	FoxAutoV8 .exe
2920	FoxAutoV8 .exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000016da3-14.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	svchost.exe
Token: SeDebugPrivilege	2736	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2400	1460	FoxAutoV8.exe	30
PID 1460 wrote to memory of 2400	1460	FoxAutoV8.exe	30
PID 1460 wrote to memory of 2400	1460	FoxAutoV8.exe	30
PID 1460 wrote to memory of 1988	1460	FoxAutoV8.exe	31
PID 1460 wrote to memory of 1988	1460	FoxAutoV8.exe	31
PID 1460 wrote to memory of 1988	1460	FoxAutoV8.exe	31
PID 1460 wrote to memory of 2916	1460	FoxAutoV8.exe	32
PID 1460 wrote to memory of 2916	1460	FoxAutoV8.exe	32
PID 1460 wrote to memory of 2916	1460	FoxAutoV8.exe	32
PID 1988 wrote to memory of 2736	1988	Setup.exe	34
PID 1988 wrote to memory of 2736	1988	Setup.exe	34
PID 1988 wrote to memory of 2736	1988	Setup.exe	34
PID 2400 wrote to memory of 2680	2400	Setup.exe	35
PID 2400 wrote to memory of 2680	2400	Setup.exe	35
PID 2400 wrote to memory of 2680	2400	Setup.exe	35
PID 2916 wrote to memory of 2920	2916	FoxAutoV8 .exe	36
PID 2916 wrote to memory of 2920	2916	FoxAutoV8 .exe	36
PID 2916 wrote to memory of 2920	2916	FoxAutoV8 .exe	36

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe
"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
  "C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
    "C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
461KB

MD5
ee76425b767c9ab812a53c133b8363f8

SHA1
1daa4700a5f1849eb7e810986ac24bd58786da61

SHA256
f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747

SHA512
004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29162\python310.dll

Filesize
4.2MB

MD5
7e45e4d723e4775f6e26628315f370ad

SHA1
76a8104c5d073c6f7619872426d440bcabd18bb9

SHA256
7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882

SHA512
4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
319KB

MD5
794d834f4a9a70041b3cad4d0002030f

SHA1
facc1ed8ade82799866c8414406d80549c190a9b

SHA256
2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b

SHA512
2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
325KB

MD5
f36e535fdc82208fca08acfa44f790c6

SHA1
a3cc1aa7d614094faebada2aed1e6c519bd18c94

SHA256
51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc

SHA512
631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
275KB

MD5
d64c44bbca049d3f19402c195840c33f

SHA1
cd7b0eff352490ad82953ee5cb1314d1a5e6311d

SHA256
f6533a93d1fe59bfe49976a24c0c828ade9981d5e94d7882f2460b533c8c3843

SHA512
de7a1e074ee5dc56e1f01112a5f613dcd2ce1dfd1d7e72d464b46789e750eb286f79d5c4d801984239a4505314ab0221d1bb62d08ddc7961c34cd466b558780b

Download Submit
\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

Filesize
16.6MB

MD5
0f2eea5fa223ff94ac2027f4c6c2d851

SHA1
83ebd61a8e21967c94a34a72926b641c5c07c321

SHA256
5bd88a3dc2360e1ea8dc2a5023a65b6fb59c81f3befebbb20c58ada689ecba84

SHA512
638f40fc75cf5bcd46a8a403b1c5aec8c4d4b64eea2e57d1123a2eb4e42abbee8f8ed621d61fe463e43074591f659181e7b9fbb382833abc30b01fad6b59996a

Download Submit
memory/1460-1-0x00000000002D0000-0x00000000013EA000-memory.dmp

Filesize
17.1MB

Download
memory/1460-0-0x000007FEF5F73000-0x000007FEF5F74000-memory.dmp

Filesize
4KB

Download
memory/1988-22-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/2400-10-0x0000000000E90000-0x0000000000F08000-memory.dmp

Filesize
480KB

Download
memory/2400-81-0x000007FEF5F70000-0x000007FEF695C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-54-0x00000000011C0000-0x0000000001216000-memory.dmp

Filesize
344KB

Download
memory/2680-60-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads