c416db4cda367c4e1f8d45bc3e308bcfde7e958bdd8029d92e31599e0d764dd1

Analysis

max time kernel
90s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FanControl.exe
Size

1.3MB
MD5

9b94d3f94fae042147cbe5dc8009370f
SHA1

3116e6fa60f5cd0d580ff748d6ae0499e7534ff2
SHA256

6d99e5b8af7bd2312f7d3aa2e42514ceb40ed3203dfc669558e8d5d0879c724b
SHA512

1ee4b0a0d5a5eee964f20f875b6c0254086b4ac2925e47be64e943e4bff97be2b536ebb787dd9390160649ccda6a29f3134800901880458c407695186c5dab71
SSDEEP

6144:ny2M4ziRCIr+bDy/oUMs2p+pGv1xPGUD5p7aQNwul3k8+uiOiK6kU2SPSC5rII2e:ny2M/CIr+bG/oE2cI/uUjtNu/rf/3pP

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
Modifies Control Panel 1 IoCs
evasion

Processes:

FanControl.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors FanControl.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors	FanControl.exe

Modifies registry class 17 IoCs

Processes:

FanControl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\AppId = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\RunAs = "Interactive User"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconUri = "C:\\Users\\Admin\\AppData\\Local\\ToastNotificationManagerCompat\\Apps\\C48E82A6-F8B9-97B5-BC51-5BCDBF007452\\Icon.png"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\IconBackgroundColor = "FFDDDDDD"	FanControl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}	FanControl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FanControl.exe\" -ToastActivated"	FanControl.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\Has7.0.1Fix = "1"	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}\LocalServer32	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID	FanControl.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\DisplayName = "FanControl"	FanControl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\AppUserModelId\C:/Users/Admin/AppData/Local/Temp/FanControl.exe\CustomActivator = "{c48e82a6-f8b9-97b5-bc51-5bcdbf007452}"	FanControl.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

676
676
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FanControl.exe

description pid process

Token: SeDebugPrivilege 1408 FanControl.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

FanControl.exe

pid process

1408 FanControl.exe
1408 FanControl.exe
1408 FanControl.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

FanControl.exe

pid process

1408 FanControl.exe
1408 FanControl.exe
1408 FanControl.exe

pid	process
676
676

description	pid	process
Token: SeDebugPrivilege	1408	FanControl.exe

pid	process
1408	FanControl.exe
1408	FanControl.exe
1408	FanControl.exe

pid	process
1408	FanControl.exe
1408	FanControl.exe
1408	FanControl.exe

C:\Users\Admin\AppData\Local\Temp\FanControl.exe
"C:\Users\Admin\AppData\Local\Temp\FanControl.exe"
1⤵
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-0-0x00007FFA62A93000-0x00007FFA62A95000-memory.dmp

Filesize
8KB

Download
memory/1408-1-0x0000021B2A330000-0x0000021B2A490000-memory.dmp

Filesize
1.4MB

Download
memory/1408-2-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-3-0x0000021B45570000-0x0000021B45EEC000-memory.dmp

Filesize
9.5MB

Download
memory/1408-4-0x0000021B44B20000-0x0000021B44B74000-memory.dmp

Filesize
336KB

Download
memory/1408-5-0x0000021B2AA20000-0x0000021B2AA48000-memory.dmp

Filesize
160KB

Download
memory/1408-9-0x0000021B2A9F0000-0x0000021B2A9FA000-memory.dmp

Filesize
40KB

Download
memory/1408-12-0x0000021B44B00000-0x0000021B44B0E000-memory.dmp

Filesize
56KB

Download
memory/1408-8-0x0000021B2AA50000-0x0000021B2AA6A000-memory.dmp

Filesize
104KB

Download
memory/1408-13-0x0000021B44BA0000-0x0000021B44BB4000-memory.dmp

Filesize
80KB

Download
memory/1408-15-0x0000021B44EC0000-0x0000021B44F38000-memory.dmp

Filesize
480KB

Download
memory/1408-16-0x0000021B44D00000-0x0000021B44D18000-memory.dmp

Filesize
96KB

Download
memory/1408-17-0x0000021B45000000-0x0000021B450B2000-memory.dmp

Filesize
712KB

Download
memory/1408-18-0x0000021B44AF0000-0x0000021B44AF8000-memory.dmp

Filesize
32KB

Download
memory/1408-14-0x0000021B44E40000-0x0000021B44EBE000-memory.dmp

Filesize
504KB

Download
memory/1408-19-0x0000021B44DC0000-0x0000021B44DE2000-memory.dmp

Filesize
136KB

Download
memory/1408-7-0x0000021B44D50000-0x0000021B44DB2000-memory.dmp

Filesize
392KB

Download
memory/1408-11-0x0000021B2AA10000-0x0000021B2AA18000-memory.dmp

Filesize
32KB

Download
memory/1408-10-0x0000021B2AA00000-0x0000021B2AA0A000-memory.dmp

Filesize
40KB

Download
memory/1408-6-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-20-0x0000021B44F40000-0x0000021B44F72000-memory.dmp

Filesize
200KB

Download
memory/1408-21-0x0000021B44F80000-0x0000021B44FCA000-memory.dmp

Filesize
296KB

Download
memory/1408-22-0x0000021B44DF0000-0x0000021B44E1C000-memory.dmp

Filesize
176KB

Download
memory/1408-23-0x0000021B44B90000-0x0000021B44B9A000-memory.dmp

Filesize
40KB

Download
memory/1408-24-0x0000021B44FD0000-0x0000021B44FF6000-memory.dmp

Filesize
152KB

Download
memory/1408-26-0x0000021B450F0000-0x0000021B450F8000-memory.dmp

Filesize
32KB

Download
memory/1408-27-0x0000021B460F0000-0x0000021B461A4000-memory.dmp

Filesize
720KB

Download
memory/1408-28-0x0000021B45150000-0x0000021B45178000-memory.dmp

Filesize
160KB

Download
memory/1408-31-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-30-0x0000021B45520000-0x0000021B45558000-memory.dmp

Filesize
224KB

Download
memory/1408-29-0x0000021B461B0000-0x0000021B46228000-memory.dmp

Filesize
480KB

Download
memory/1408-34-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-35-0x0000021B46270000-0x0000021B462A2000-memory.dmp

Filesize
200KB

Download
memory/1408-36-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-37-0x0000021B46870000-0x0000021B4692A000-memory.dmp

Filesize
744KB

Download
memory/1408-38-0x0000021B44D20000-0x0000021B44D3C000-memory.dmp

Filesize
112KB

Download
memory/1408-39-0x0000021B46840000-0x0000021B46860000-memory.dmp

Filesize
128KB

Download
memory/1408-40-0x0000021B45180000-0x0000021B45188000-memory.dmp

Filesize
32KB

Download
memory/1408-41-0x0000021B47290000-0x0000021B472AE000-memory.dmp

Filesize
120KB

Download
memory/1408-42-0x0000021B44BD0000-0x0000021B44BD8000-memory.dmp

Filesize
32KB

Download
memory/1408-43-0x0000021B45130000-0x0000021B45138000-memory.dmp

Filesize
32KB

Download
memory/1408-44-0x0000021B48C10000-0x0000021B48C48000-memory.dmp

Filesize
224KB

Download
memory/1408-45-0x0000021B45560000-0x0000021B4556E000-memory.dmp

Filesize
56KB

Download
memory/1408-46-0x00007FFA62A93000-0x00007FFA62A95000-memory.dmp

Filesize
8KB

Download
memory/1408-47-0x0000021B50E00000-0x0000021B50F0C000-memory.dmp

Filesize
1.0MB

Download
memory/1408-48-0x0000021B4B2C0000-0x0000021B4B2CC000-memory.dmp

Filesize
48KB

Download
memory/1408-49-0x0000021B4B2D0000-0x0000021B4B2DE000-memory.dmp

Filesize
56KB

Download
memory/1408-50-0x0000021B50F10000-0x0000021B50FB6000-memory.dmp

Filesize
664KB

Download
memory/1408-51-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-52-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-53-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-54-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download
memory/1408-55-0x00007FFA62A90000-0x00007FFA63552000-memory.dmp

Filesize
10.8MB

Download