Overview
overview
8Static
static
6drive-down...01.zip
windows7-x64
1drive-down...01.zip
windows10-2004-x64
1BlueStacks...s1.exe
windows7-x64
4BlueStacks...s1.exe
windows10-2004-x64
5Custom Hud...YT.png
windows7-x64
1Custom Hud...YT.png
windows10-2004-x64
3FREEFIRE V...YT.zip
windows7-x64
1FREEFIRE V...YT.zip
windows10-2004-x64
1Android/ob...th.jar
windows7-x64
1Android/ob...th.jar
windows10-2004-x64
1com.dts.fr...th.apk
android-9-x86
8icon.png
windows7-x64
3icon.png
windows10-2004-x64
3manifest.json
windows7-x64
3manifest.json
windows10-2004-x64
3com.dts.fr...th.cfg
windows7-x64
3com.dts.fr...th.cfg
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/11/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
drive-download-20241117T030056Z-001.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
drive-download-20241117T030056Z-001.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Custom Hud By DANI YT.png
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Custom Hud By DANI YT.png
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
FREEFIRE V7A DANI YT.zip
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
FREEFIRE V7A DANI YT.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Android/obb/com.dts.freefireth/main.2019117682.com.dts.freefireth.jar
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Android/obb/com.dts.freefireth/main.2019117682.com.dts.freefireth.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
com.dts.freefireth.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral12
Sample
icon.png
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
icon.png
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
manifest.json
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
manifest.json
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
com.dts.freefireth.cfg
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
com.dts.freefireth.cfg
Resource
win10v2004-20241007-en
General
-
Target
manifest.json
-
Size
1KB
-
MD5
e1ee4de15f98b2a071d56c3c33c6447a
-
SHA1
bff531fbedaeded2512ed22111e448c16dab1b20
-
SHA256
6f393ca0f4a831e573cf6904c4bcbc892dcc827d2bf202864da8b0820224caf9
-
SHA512
ef2d4e3df0d9256710485c1fce1312d28cd9fd05de28c03ad5b890bbcf499421d4eec6830c4f67cdf38624f6b20cd2b53788edc3d447d84eb39e589587f1ce74
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2720 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2432 2252 cmd.exe 32 PID 2252 wrote to memory of 2432 2252 cmd.exe 32 PID 2252 wrote to memory of 2432 2252 cmd.exe 32 PID 2432 wrote to memory of 2720 2432 rundll32.exe 33 PID 2432 wrote to memory of 2720 2432 rundll32.exe 33 PID 2432 wrote to memory of 2720 2432 rundll32.exe 33 PID 2432 wrote to memory of 2720 2432 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\manifest.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\manifest.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD534f601e66cdc124020e7fa8bba6cf136
SHA1990715914341010547e2805d74e8ba35452668f1
SHA256790d99fa06f27b0d128934f6cd7346dd254cfcb9647c4d20e150e6a868b7669e
SHA51215ba80e16498e021b398c53607546159a646f2f870c0026eda462f1958f16986e84b28a8205e34f5a0fa8ed22cf8a5164dc148e64604e617984d9562912440af