Overview

overview

10

Static

static

3

SchooisMul...up.exe

windows7-x64

7

SchooisMul...up.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Files/Apps/7z.bat

windows7-x64

10

Files/Apps/7z.bat

windows10-2004-x64

8

Files/Apps...F4.bat

windows7-x64

8

Files/Apps...F4.bat

windows10-2004-x64

8

Files/Apps/bts.bat

windows7-x64

3

Files/Apps/bts.bat

windows10-2004-x64

8

Files/Apps/chrome.bat

windows7-x64

6

Files/Apps/chrome.bat

windows10-2004-x64

8

Files/Apps/ctt.bat

windows7-x64

3

Files/Apps/ctt.bat

windows10-2004-x64

8

Files/Apps...ch.bat

windows7-x64

6

Files/Apps...ch.bat

windows10-2004-x64

8

Files/Apps...ox.bat

windows7-x64

1

Files/Apps...ox.bat

windows10-2004-x64

8

Files/Apps/flux.bat

windows7-x64

3

Files/Apps/flux.bat

windows10-2004-x64

8

Files/Apps/geek.bat

windows7-x64

10

Files/Apps/geek.bat

windows10-2004-x64

10

Files/Apps/git.bat

windows7-x64

8

Files/Apps/git.bat

windows10-2004-x64

8

Files/Apps/logo.bat

windows7-x64

1

Files/Apps/logo.bat

windows10-2004-x64

1

Files/Apps/pcm.bat

windows7-x64

8

Files/Apps/pcm.bat

windows10-2004-x64

8

Files/Apps/ps7.bat

windows7-x64

10

Files/Apps/ps7.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Files/Apps/flux.bat

  • Size

    290B

  • MD5

    629667380059fb33d4933a722c139be3

  • SHA1

    a52944fdceef5368eaf140558066df825b35ea28

  • SHA256

    86d43de03fd141ad2180804577f817534f27cced767a8451b4804f47cc6037ee

  • SHA512

    ad474e7582751447067b002f2af3ab473d40087a3ce850551dbf2636887c3279aa58b57b930892585419e0df10e31deb42503bc787cb394df9dcea4ce1abed92

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\flux.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      2⤵
        PID:3236
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c chcp
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\system32\chcp.com
          chcp
          3⤵
            PID:4744
        • C:\Windows\system32\chcp.com
          chcp 65001
          2⤵
            PID:3548
          • C:\Windows\system32\chcp.com
            chcp 437
            2⤵
              PID:644
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "irm https://schooicodes.github.io/file_hosting/flux.ps1 | iex"
              2⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Users\Admin\AppData\Local\Temp\Files\Apps\flux-setup.exe
                "C:\Users\Admin\AppData\Local\Temp\Files\Apps\flux-setup.exe" /S
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:4480
          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\flux.exe
            "C:\Users\Admin\AppData\Local\FluxSoftware\Flux\flux.exe" /writeinstallversion
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5068
          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\flux.exe
            "C:\Users\Admin\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:4956

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\flux.exe
            Filesize

            1.5MB

            MD5

            036b38dd2f7d5991117cce7c9fc2fe8b

            SHA1

            9517c8b2778ddfe9322c80700daa43231067a5c0

            SHA256

            5dcaa7663eb0d46765c2ef259aaced8788f21545e15b748b13127072fe624034

            SHA512

            a202b3d3ba44cdff854ea03c90f997b05be976e7218d84a0116edebb1efd21995d19148d1e1c98b10bc4a03ae57971c1ec3a2502bd5d595b3783fdc616092e96

            Download Submit

          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\runtime\flux.preset.json
            Filesize

            998B

            MD5

            2f16cae7c448269ce98fc362f88a17b3

            SHA1

            720816a36c132a01e20d323a91b3ee0b5087bc3e

            SHA256

            115a1afa03d994fa848781cd5ccd237b1f1288f34315ee07cdb039553e94ba0b

            SHA512

            ebcdefb7c79a9da1edb17f2b9f4a98e07cc729440a59cb9eb169754771b9b909d2480de7fdf17a35d7730642da0a0f6f924ea0c5758c933afa6b6ca80e502de2

            Download Submit

          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\runtime\flux.psd
            Filesize

            253KB

            MD5

            3c85e1320ace8380c47c1d0a3c48be17

            SHA1

            9f4afdb52b09aa77163de3bd07dc3104fefdb06c

            SHA256

            54f5f2b622c0c1ce6b0041c332d8d49afa4a965550ce400bcb47a0b0497131bc

            SHA512

            41e8a49b29c713afd8441c7c607079f2c0136fb927cae87db6826bd2cc311ea10d0944a26affabe9e7f7da30ad22eb0a4a811ad87be53c7de23c76df67a8abcf

            Download Submit

          • C:\Users\Admin\AppData\Local\FluxSoftware\Flux\runtime\flux.tre
            Filesize

            4KB

            MD5

            834f1e49c1269098ec0a526306101367

            SHA1

            960e14c9a03da96938674c4c3cef0025ebd24c1c

            SHA256

            47593343875782e0790883394470bb32cbe8b81f0db6adf3cfdffd78988fb135

            SHA512

            8db710b24f89e65200ab5349dadfdecefb330c62cdb4672b51811273da3949a174039f8a45334020df91095dc7b84af5bcb173926ff6becf3517c2eed72e80e8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Files\Apps\flux-setup.exe
            Filesize

            670KB

            MD5

            ebf5b897e0e4b90143764fc39e0c5a21

            SHA1

            244eb29a512f1cc980bcfdc3bda2c62e1954c6d7

            SHA256

            b53390dba0e0c227341f3c688be3aef91455c4f926e6527af6ce1e4acf74a7b3

            SHA512

            94eaf96b9bb79b78cba358eb8613ff31c10cc820e54fa5a53f7da5287da7e6cb8eb73a7a4503c8714745c6715c42066f033ef059defaf700843644ea53eb7133

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrcdkt2t.ah2.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nss8893.tmp\ShellExecAsUser.dll
            Filesize

            7KB

            MD5

            86a81b9ab7de83aa01024593a03d1872

            SHA1

            8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be

            SHA256

            27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115

            SHA512

            cc37bd5d74d185077bdf6c4a974fb29922e3177e2c5971c664f46c057aad1236e6f3f856c5d82f1d677c29896f0e3e71283ef04f886db58abae151cb27c827ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nss8893.tmp\nsProcess.dll
            Filesize

            4KB

            MD5

            faa7f034b38e729a983965c04cc70fc1

            SHA1

            df8bda55b498976ea47d25d8a77539b049dab55e

            SHA256

            579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

            SHA512

            7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

            Download Submit

          • memory/2040-13-0x000002622E1F0000-0x000002622E3B2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2040-0-0x00007FFD50263000-0x00007FFD50265000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2040-12-0x00007FFD50260000-0x00007FFD50D21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2040-11-0x00007FFD50260000-0x00007FFD50D21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2040-57-0x00007FFD50260000-0x00007FFD50D21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2040-1-0x000002622DA70000-0x000002622DA92000-memory.dmp

            Filesize

            136KB

            Download