c416db4cda367c4e1f8d45bc3e308bcfde7e958bdd8029d92e31599e0d764dd1

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FanControl.exe
Size

1.3MB
MD5

9b94d3f94fae042147cbe5dc8009370f
SHA1

3116e6fa60f5cd0d580ff748d6ae0499e7534ff2
SHA256

6d99e5b8af7bd2312f7d3aa2e42514ceb40ed3203dfc669558e8d5d0879c724b
SHA512

1ee4b0a0d5a5eee964f20f875b6c0254086b4ac2925e47be64e943e4bff97be2b536ebb787dd9390160649ccda6a29f3134800901880458c407695186c5dab71
SSDEEP

6144:ny2M4ziRCIr+bDy/oUMs2p+pGv1xPGUD5p7aQNwul3k8+uiOiK6kU2SPSC5rII2e:ny2M/CIr+bG/oE2cI/uUjtNu/rf/3pP

Score

7^/10

bootkit persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FanControl.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	FanControl.exe
File opened for modification	\??\PhysicalDrive0	FanControl.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Colors	FanControl.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\Has7.0.1Fix = "1"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\RunAs = "Interactive User"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\DisplayName = "FanControl"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\C48E82A6-F8B9-97B5-BC51-5BCDBF007452\\Icon.png"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\AppId = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconBackgroundColor = "FFDDDDDD"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\CustomActivator = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID	FanControl.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	FanControl.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe
1320	FanControl.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FanControl.exe
"C:\Users\Admin\AppData\Local\Temp\FanControl.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-0-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

Filesize
8KB

Download
memory/1320-1-0x00000133FDA80000-0x00000133FDBE0000-memory.dmp

Filesize
1.4MB

Download
memory/1320-2-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-3-0x0000013400980000-0x00000134012FC000-memory.dmp

Filesize
9.5MB

Download
memory/1320-4-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-5-0x00000133FF7A0000-0x00000133FF7F4000-memory.dmp

Filesize
336KB

Download
memory/1320-6-0x00000133FDFC0000-0x00000133FDFE8000-memory.dmp

Filesize
160KB

Download
memory/1320-7-0x00000133FFEA0000-0x00000133FFF02000-memory.dmp

Filesize
392KB

Download
memory/1320-8-0x00000133FF810000-0x00000133FF82A000-memory.dmp

Filesize
104KB

Download
memory/1320-9-0x00000133FDFA0000-0x00000133FDFAA000-memory.dmp

Filesize
40KB

Download
memory/1320-10-0x00000133FDFB0000-0x00000133FDFBA000-memory.dmp

Filesize
40KB

Download
memory/1320-12-0x00000133FF840000-0x00000133FF84E000-memory.dmp

Filesize
56KB

Download
memory/1320-11-0x00000133FF830000-0x00000133FF838000-memory.dmp

Filesize
32KB

Download
memory/1320-13-0x00000133FFE30000-0x00000133FFE44000-memory.dmp

Filesize
80KB

Download
memory/1320-14-0x0000013400000000-0x000001340007E000-memory.dmp

Filesize
504KB

Download
memory/1320-15-0x0000013400080000-0x00000134000F8000-memory.dmp

Filesize
480KB

Download
memory/1320-16-0x00000133FFE50000-0x00000133FFE68000-memory.dmp

Filesize
96KB

Download
memory/1320-17-0x0000013400100000-0x00000134001B2000-memory.dmp

Filesize
712KB

Download
memory/1320-18-0x00000133FF850000-0x00000133FF858000-memory.dmp

Filesize
32KB

Download
memory/1320-19-0x00000133FFF10000-0x00000133FFF32000-memory.dmp

Filesize
136KB

Download
memory/1320-20-0x00000133FFF80000-0x00000133FFFB2000-memory.dmp

Filesize
200KB

Download
memory/1320-21-0x0000013400210000-0x000001340025A000-memory.dmp

Filesize
296KB

Download
memory/1320-22-0x00000133FFF40000-0x00000133FFF6C000-memory.dmp

Filesize
176KB

Download
memory/1320-23-0x00000133FF870000-0x00000133FF87A000-memory.dmp

Filesize
40KB

Download
memory/1320-24-0x00000134001C0000-0x00000134001E6000-memory.dmp

Filesize
152KB

Download
memory/1320-26-0x00000133FF880000-0x00000133FF888000-memory.dmp

Filesize
32KB

Download
memory/1320-27-0x0000013400620000-0x00000134006D4000-memory.dmp

Filesize
720KB

Download
memory/1320-28-0x0000013400290000-0x00000134002B8000-memory.dmp

Filesize
160KB

Download
memory/1320-29-0x0000013400560000-0x00000134005D8000-memory.dmp

Filesize
480KB

Download
memory/1320-30-0x0000013400400000-0x0000013400438000-memory.dmp

Filesize
224KB

Download
memory/1320-32-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-34-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-35-0x0000013400440000-0x0000013400472000-memory.dmp

Filesize
200KB

Download
memory/1320-36-0x00000134007A0000-0x000001340085A000-memory.dmp

Filesize
744KB

Download
memory/1320-37-0x00000133FFFE0000-0x00000133FFFFC000-memory.dmp

Filesize
112KB

Download
memory/1320-38-0x00000134001F0000-0x0000013400210000-memory.dmp

Filesize
128KB

Download
memory/1320-39-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-40-0x00000133FFE70000-0x00000133FFE78000-memory.dmp

Filesize
32KB

Download
memory/1320-41-0x00000134002C0000-0x00000134002DE000-memory.dmp

Filesize
120KB

Download
memory/1320-42-0x00000133FFE80000-0x00000133FFE88000-memory.dmp

Filesize
32KB

Download
memory/1320-43-0x00000133FFE90000-0x00000133FFE98000-memory.dmp

Filesize
32KB

Download
memory/1320-44-0x00000134005E0000-0x0000013400618000-memory.dmp

Filesize
224KB

Download
memory/1320-45-0x00000133FFF70000-0x00000133FFF7E000-memory.dmp

Filesize
56KB

Download
memory/1320-46-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

Filesize
8KB

Download
memory/1320-47-0x0000013401300000-0x000001340140C000-memory.dmp

Filesize
1.0MB

Download
memory/1320-48-0x00000134002E0000-0x00000134002EC000-memory.dmp

Filesize
48KB

Download
memory/1320-50-0x0000013400860000-0x0000013400906000-memory.dmp

Filesize
664KB

Download
memory/1320-49-0x00000134002F0000-0x00000134002FE000-memory.dmp

Filesize
56KB

Download
memory/1320-51-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-52-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-53-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-54-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-55-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-58-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-63-0x0000013400740000-0x0000013400798000-memory.dmp

Filesize
352KB

Download
memory/1320-67-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download
memory/1320-68-0x0000013400910000-0x000001340094E000-memory.dmp

Filesize
248KB

Download
memory/1320-70-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads