Overview
overview
10Static
static
10FalconV1.7...re.dll
windows7-x64
3FalconV1.7...re.dll
windows10-2004-x64
3FalconV1.7...re.dll
windows7-x64
3FalconV1.7...re.dll
windows10-2004-x64
3FalconV1.7...pf.dll
windows7-x64
3FalconV1.7...pf.dll
windows10-2004-x64
3FalconV1.7...rp.dll
windows7-x64
3FalconV1.7...rp.dll
windows10-2004-x64
3FalconV1.7...ent.js
windows7-x64
3FalconV1.7...ent.js
windows10-2004-x64
3FalconV1.7...ent.js
windows7-x64
3FalconV1.7...ent.js
windows10-2004-x64
3FalconV1.7...ons.js
windows7-x64
3FalconV1.7...ons.js
windows10-2004-x64
3FalconV1.7...lf.dll
windows7-x64
3FalconV1.7...lf.dll
windows10-2004-x64
3FalconV1.7...47.dll
windows10-2004-x64
3FalconV1.7/Falcon.exe
windows7-x64
7FalconV1.7/Falcon.exe
windows10-2004-x64
10FalconV1.7...ib.dll
windows7-x64
3FalconV1.7...ib.dll
windows10-2004-x64
3FalconV1.7...43.dll
windows7-x64
3FalconV1.7...43.dll
windows10-2004-x64
3FalconV1.7..._3.dll
windows7-x64
3FalconV1.7..._3.dll
windows10-2004-x64
3FalconV1.7...ode.js
windows7-x64
3FalconV1.7...ode.js
windows10-2004-x64
3FalconV1.7...ker.js
windows7-x64
3FalconV1.7...ker.js
windows10-2004-x64
3FalconV1.7...ode.js
windows7-x64
3FalconV1.7...ode.js
windows10-2004-x64
3FalconV1.7...ker.js
windows7-x64
3Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 18:07
Behavioral task
behavioral1
Sample
FalconV1.7/Chrome Hook Function/CefSharp.BrowserSubprocess.Core.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FalconV1.7/Chrome Hook Function/CefSharp.BrowserSubprocess.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
FalconV1.7/Chrome Hook Function/CefSharp.Core.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
FalconV1.7/Chrome Hook Function/CefSharp.Core.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
FalconV1.7/Chrome Hook Function/CefSharp.Wpf.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
FalconV1.7/Chrome Hook Function/CefSharp.Wpf.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
FalconV1.7/Chrome Hook Function/CefSharp.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
FalconV1.7/Chrome Hook Function/CefSharp.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
FalconV1.7/Chrome Hook Function/cef_100_percent.js
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
FalconV1.7/Chrome Hook Function/cef_100_percent.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
FalconV1.7/Chrome Hook Function/cef_200_percent.js
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
FalconV1.7/Chrome Hook Function/cef_200_percent.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
FalconV1.7/Chrome Hook Function/cef_extensions.js
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
FalconV1.7/Chrome Hook Function/cef_extensions.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
FalconV1.7/Chrome Hook Function/chrome_elf.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
FalconV1.7/Chrome Hook Function/chrome_elf.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
FalconV1.7/Chrome Hook Function/d3dcompiler_47.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
FalconV1.7/Falcon.exe
Resource
win7-20240729-en
Behavioral task
behavioral19
Sample
FalconV1.7/Falcon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
FalconV1.7/SXL/sxlib.dll
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
FalconV1.7/SXL/sxlib.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
FalconV1.7/redis/D3DCompiler_43.dll
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
FalconV1.7/redis/D3DCompiler_43.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
FalconV1.7/redis/xinput1_3.dll
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
FalconV1.7/redis/xinput1_3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
FalconV1.7/vs/language/css/cssMode.js
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
FalconV1.7/vs/language/css/cssMode.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
FalconV1.7/vs/language/css/cssWorker.js
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
FalconV1.7/vs/language/css/cssWorker.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
FalconV1.7/vs/language/html/htmlMode.js
Resource
win7-20240729-en
Behavioral task
behavioral31
Sample
FalconV1.7/vs/language/html/htmlMode.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
FalconV1.7/vs/language/html/htmlWorker.js
Resource
win7-20240704-en
General
-
Target
FalconV1.7/Falcon.exe
-
Size
2.1MB
-
MD5
005e76ae2d3af2cc2a001745d5e0afd9
-
SHA1
fa117b48f316b38db20887ba9b0138a07d686064
-
SHA256
a427b998ac966b5f8a4ec510205b075cfe7eaa102ac1d9e1ac0182a54cb33d2c
-
SHA512
2e5bb3e7d95230c012014184bb29ddbd56328fc8d63738ebf50923d5e86461d2f2511c32ca930d23eeec81b4a0d4ad54a4be0c782dfe01904a276a74636a1e8b
-
SSDEEP
49152:ftBEvg4rSx4YYKOvp+QoqkxR/NPmmRFyxGFrEN0FN63lSY:fQvg4G6YDxQoqkxBNPXmUylD
Malware Config
Extracted
bitrat
1.38
23.105.131.195:49645
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Falcon.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 5924 Falcon.exe 4224 Falcon.exe 5952 Falcon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntuser = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ntuser.exe\"" Falcon.exe -
pid Process 1540 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 5952 Falcon.exe 5952 Falcon.exe 5952 Falcon.exe 5952 Falcon.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2688 set thread context of 5952 2688 Falcon.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings Falcon.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 2688 Falcon.exe 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2688 Falcon.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeShutdownPrivilege 5952 Falcon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5952 Falcon.exe 5952 Falcon.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2688 wrote to memory of 1020 2688 Falcon.exe 94 PID 2688 wrote to memory of 1020 2688 Falcon.exe 94 PID 2688 wrote to memory of 1020 2688 Falcon.exe 94 PID 2688 wrote to memory of 5924 2688 Falcon.exe 95 PID 2688 wrote to memory of 5924 2688 Falcon.exe 95 PID 2688 wrote to memory of 5924 2688 Falcon.exe 95 PID 2688 wrote to memory of 4224 2688 Falcon.exe 96 PID 2688 wrote to memory of 4224 2688 Falcon.exe 96 PID 2688 wrote to memory of 4224 2688 Falcon.exe 96 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 1020 wrote to memory of 1540 1020 WScript.exe 97 PID 1020 wrote to memory of 1540 1020 WScript.exe 97 PID 1020 wrote to memory of 1540 1020 WScript.exe 97 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98 PID 2688 wrote to memory of 5952 2688 Falcon.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\FalconV1.7\Falcon.exe"C:\Users\Admin\AppData\Local\Temp\FalconV1.7\Falcon.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Lvzjypcn.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Ntuser.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
-
C:\Users\Admin\AppData\Local\Temp\Falcon.exeC:\Users\Admin\AppData\Local\Temp\Falcon.exe2⤵
- Executes dropped EXE
PID:5924
-
-
C:\Users\Admin\AppData\Local\Temp\Falcon.exeC:\Users\Admin\AppData\Local\Temp\Falcon.exe2⤵
- Executes dropped EXE
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\Falcon.exeC:\Users\Admin\AppData\Local\Temp\Falcon.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5005e76ae2d3af2cc2a001745d5e0afd9
SHA1fa117b48f316b38db20887ba9b0138a07d686064
SHA256a427b998ac966b5f8a4ec510205b075cfe7eaa102ac1d9e1ac0182a54cb33d2c
SHA5122e5bb3e7d95230c012014184bb29ddbd56328fc8d63738ebf50923d5e86461d2f2511c32ca930d23eeec81b4a0d4ad54a4be0c782dfe01904a276a74636a1e8b
-
Filesize
136B
MD524131be6e84c424a31423a9daa683b01
SHA138ae56938aa4fd963f066287b4190c929388e074
SHA2561fe2a89a827cbe4ef046ca27f4d38c1ef1fbe889901f3946a4b7e1d4005cbde7
SHA5125e0cb79ec9ed8836570393060e0b0f55b1a1a0446922e988913ed4ea4d67567a3a04e7d3a77c73dce596bd0eae530d07f0d2cf0f9cdf6b96001e1737d158704f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82