c416db4cda367c4e1f8d45bc3e308bcfde7e958bdd8029d92e31599e0d764dd1

Analysis

max time kernel
210s
max time network
209s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FanControl.exe
Size

1.3MB
MD5

9b94d3f94fae042147cbe5dc8009370f
SHA1

3116e6fa60f5cd0d580ff748d6ae0499e7534ff2
SHA256

6d99e5b8af7bd2312f7d3aa2e42514ceb40ed3203dfc669558e8d5d0879c724b
SHA512

1ee4b0a0d5a5eee964f20f875b6c0254086b4ac2925e47be64e943e4bff97be2b536ebb787dd9390160649ccda6a29f3134800901880458c407695186c5dab71
SSDEEP

6144:ny2M4ziRCIr+bDy/oUMs2p+pGv1xPGUD5p7aQNwul3k8+uiOiK6kU2SPSC5rII2e:ny2M/CIr+bG/oE2cI/uUjtNu/rf/3pP

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FanControl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation	FanControl.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
16 raw.githubusercontent.com
Modifies Control Panel 1 IoCs
evasion

Processes:

FanControl.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors FanControl.exe

flow	ioc
15	raw.githubusercontent.com
16	raw.githubusercontent.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\Colors	FanControl.exe

Modifies registry class 17 IoCs

Processes:

FanControl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\DisplayName = "FanControl"	FanControl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\Has7.0.1Fix = "1"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\AppId = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\RunAs = "Interactive User"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\C48E82A6-F8B9-97B5-BC51-5BCDBF007452\\Icon.png"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconBackgroundColor = "FFDDDDDD"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\CustomActivator = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

680
680
680
680
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FanControl.exe

description pid process

Token: SeDebugPrivilege 1984 FanControl.exe

pid	process
680
680
680
680

description	pid	process
Token: SeDebugPrivilege	1984	FanControl.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

FanControl.exe

pid	process
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

FanControl.exe

pid	process
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe
1984	FanControl.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FanControl.exe
"C:\Users\Admin\AppData\Local\Temp\FanControl.exe"
1⤵
- Checks computer location settings
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Configurations\userConfig.json

Filesize
1KB

MD5
02c5a6e51c24360e0f3d6d385999981c

SHA1
a7400fac953d93ec25cac6452af824941e83052e

SHA256
63a0ccd10f5ac73ef2b19d91b8d282ac7da6e413f40cb17ef6f1e6289b11ff69

SHA512
3bf4e5cfbcb54436760cd5ecc113b25ab79e89374ae8af42305ca59deb9d0d79b77b985668447e1670d85bda0891a166a790e91b6d360516ac8329ac62950ab6

Download Submit
memory/1984-0-0x00007FF880903000-0x00007FF880905000-memory.dmp

Filesize
8KB

Download
memory/1984-1-0x000001F0D3280000-0x000001F0D33E0000-memory.dmp

Filesize
1.4MB

Download
memory/1984-2-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-3-0x000001F0EFCD0000-0x000001F0F064C000-memory.dmp

Filesize
9.5MB

Download
memory/1984-4-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-5-0x000001F0ED9B0000-0x000001F0EDA04000-memory.dmp

Filesize
336KB

Download
memory/1984-6-0x000001F0ED980000-0x000001F0ED9A8000-memory.dmp

Filesize
160KB

Download
memory/1984-9-0x000001F0D51C0000-0x000001F0D51CA000-memory.dmp

Filesize
40KB

Download
memory/1984-12-0x000001F0EDA30000-0x000001F0EDA3E000-memory.dmp

Filesize
56KB

Download
memory/1984-13-0x000001F0EF1A0000-0x000001F0EF1B4000-memory.dmp

Filesize
80KB

Download
memory/1984-15-0x000001F0EF3D0000-0x000001F0EF448000-memory.dmp

Filesize
480KB

Download
memory/1984-16-0x000001F0EF260000-0x000001F0EF278000-memory.dmp

Filesize
96KB

Download
memory/1984-17-0x000001F0EF450000-0x000001F0EF502000-memory.dmp

Filesize
712KB

Download
memory/1984-18-0x000001F0EDA20000-0x000001F0EDA28000-memory.dmp

Filesize
32KB

Download
memory/1984-14-0x000001F0EF350000-0x000001F0EF3CE000-memory.dmp

Filesize
504KB

Download
memory/1984-19-0x000001F0EF280000-0x000001F0EF2A2000-memory.dmp

Filesize
136KB

Download
memory/1984-11-0x000001F0EDA10000-0x000001F0EDA18000-memory.dmp

Filesize
32KB

Download
memory/1984-10-0x000001F0ED970000-0x000001F0ED97A000-memory.dmp

Filesize
40KB

Download
memory/1984-8-0x000001F0ED950000-0x000001F0ED96A000-memory.dmp

Filesize
104KB

Download
memory/1984-7-0x000001F0EF1F0000-0x000001F0EF252000-memory.dmp

Filesize
392KB

Download
memory/1984-20-0x000001F0EF2F0000-0x000001F0EF322000-memory.dmp

Filesize
200KB

Download
memory/1984-21-0x000001F0EF560000-0x000001F0EF5AA000-memory.dmp

Filesize
296KB

Download
memory/1984-22-0x000001F0EF2B0000-0x000001F0EF2DC000-memory.dmp

Filesize
176KB

Download
memory/1984-23-0x000001F0EF190000-0x000001F0EF19A000-memory.dmp

Filesize
40KB

Download
memory/1984-24-0x000001F0EF530000-0x000001F0EF556000-memory.dmp

Filesize
152KB

Download
memory/1984-26-0x000001F0EF600000-0x000001F0EF608000-memory.dmp

Filesize
32KB

Download
memory/1984-27-0x000001F0EFBE0000-0x000001F0EFC94000-memory.dmp

Filesize
720KB

Download
memory/1984-28-0x000001F0EF650000-0x000001F0EF678000-memory.dmp

Filesize
160KB

Download
memory/1984-29-0x000001F0F1190000-0x000001F0F1208000-memory.dmp

Filesize
480KB

Download
memory/1984-30-0x000001F0F1210000-0x000001F0F1248000-memory.dmp

Filesize
224KB

Download
memory/1984-31-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-34-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-35-0x000001F0F1290000-0x000001F0F12C2000-memory.dmp

Filesize
200KB

Download
memory/1984-36-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-37-0x000001F0F1790000-0x000001F0F184A000-memory.dmp

Filesize
744KB

Download
memory/1984-38-0x000001F0EFCA0000-0x000001F0EFCBC000-memory.dmp

Filesize
112KB

Download
memory/1984-39-0x000001F0F3A60000-0x000001F0F3A80000-memory.dmp

Filesize
128KB

Download
memory/1984-40-0x000001F0EFB10000-0x000001F0EFB18000-memory.dmp

Filesize
32KB

Download
memory/1984-41-0x000001F0F3A80000-0x000001F0F3A9E000-memory.dmp

Filesize
120KB

Download
memory/1984-42-0x000001F0EF1E0000-0x000001F0EF1E8000-memory.dmp

Filesize
32KB

Download
memory/1984-43-0x000001F0EF2E0000-0x000001F0EF2E8000-memory.dmp

Filesize
32KB

Download
memory/1984-44-0x000001F0F3BE0000-0x000001F0F3C18000-memory.dmp

Filesize
224KB

Download
memory/1984-45-0x000001F0EFCC0000-0x000001F0EFCCE000-memory.dmp

Filesize
56KB

Download
memory/1984-46-0x00007FF880903000-0x00007FF880905000-memory.dmp

Filesize
8KB

Download
memory/1984-47-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-48-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-49-0x000001F0FC4E0000-0x000001F0FC5EC000-memory.dmp

Filesize
1.0MB

Download
memory/1984-50-0x000001F0FC3E0000-0x000001F0FC3EC000-memory.dmp

Filesize
48KB

Download
memory/1984-51-0x000001F0FC3F0000-0x000001F0FC3FE000-memory.dmp

Filesize
56KB

Download
memory/1984-52-0x000001F0FC5F0000-0x000001F0FC696000-memory.dmp

Filesize
664KB

Download
memory/1984-53-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-54-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-55-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-56-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-57-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-66-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-67-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-69-0x000001F0FA830000-0x000001F0FA888000-memory.dmp

Filesize
352KB

Download
memory/1984-70-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-71-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-73-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/1984-74-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download