Overview
overview
10Static
static
10FD4DC9B2BF...4B.exe
windows7-x64
1Flyper.exe
windows7-x64
1Flyper2.exe
windows7-x64
1Flyper3.exe
windows7-x64
1Free YouTu...er.exe
windows7-x64
3FreeYoutub...16.exe
windows7-x64
7file (1).exe
windows7-x64
10file (2).exe
windows7-x64
6file (3).exe
windows7-x64
10file (4).exe
windows7-x64
10file (6).exe
windows7-x64
10file (7).exe
windows7-x64
3file.exe
windows7-x64
5file_ (1).exe
windows7-x64
7file_ (2).exe
windows7-x64
7file_ (3).exe
windows7-x64
7file_ (4).exe
windows7-x64
7file_ (5).exe
windows7-x64
7file_ (6).exe
windows7-x64
7file_ (7).exe
windows7-x64
7file_.exe
windows7-x64
7file_9.exe
windows7-x64
7firefox32.exe
windows7-x64
7flash_play...al.exe
windows7-x64
10flash_play...ed.exe
windows7-x64
3freegaza_i...rs.exe
windows7-x64
7fresh_a22b...53.exe
windows7-x64
9helper[1].exe_.exe
windows7-x64
3holycrypt-v0.3.exe
windows7-x64
info[1].exe
windows7-x64
10informations.exe
windows7-x64
10installer.exe
windows7-x64
7Analysis
-
max time kernel
65s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:31
Behavioral task
behavioral1
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Flyper.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Flyper2.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Flyper3.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
Free YouTube Downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
FreeYoutubeDownloader11012016.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
file (1).exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
file (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
file (3).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
file (4).exe
Resource
win7-20240729-en
Behavioral task
behavioral11
Sample
file (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
file (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
file_ (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
file_ (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
file_ (3).exe
Resource
win7-20241010-en
Behavioral task
behavioral17
Sample
file_ (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
file_ (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
file_ (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
file_ (7).exe
Resource
win7-20241023-en
Behavioral task
behavioral21
Sample
file_.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
file_9.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
firefox32.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
flash_player.original.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
flash_player.unpacked.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
freegaza_israeli_killers.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
fresh_a22bb95ee8cfccc94ba183c071bad3a951b353e98fcf0d6cfa9268aaf9c53d53.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
helper[1].exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
holycrypt-v0.3.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
info[1].exe
Resource
win7-20241023-en
Behavioral task
behavioral31
Sample
informations.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
installer.exe
Resource
win7-20240903-en
General
-
Target
file (6).exe
-
Size
157KB
-
MD5
438580ccbffdc97ad5b9f09a213c3e8f
-
SHA1
0437c2003974a979ecc4170544f2f863c7dafd12
-
SHA256
f77ef2ace574ee9a7d758ef00f7df14c940381625b12a4b65e5e292d1ef34b1c
-
SHA512
a8214216662cc7323b3ab0aec016647581ff2ca68edeab9bf340c7befb088f501d7d592f901eea48211681bcf5f90fc74293b940152f32e1be6555f55dd4dbd8
-
SSDEEP
3072:0t6Gtx/jjOtP8JV4Y1aaH67pnMK/MdyGwsNYFfP:0thut0JV3fOMdE
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe -
Executes dropped EXE 2 IoCs
pid Process 2772 module.exe 2204 module.exe -
Loads dropped DLL 1 IoCs
pid Process 2196 file (6).exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\module.exe" file (6).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA module.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA module.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\ProgramData\Media\module.exe:Zone.Identifier cmd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2944 2196 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file (6).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 2140 taskkill.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData\Media\module.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 file (6).exe 2196 file (6).exe 2196 file (6).exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe 2204 module.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2888 taskmgr.exe Token: SeDebugPrivilege 2140 taskkill.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2204 module.exe 2204 module.exe 2772 module.exe 2772 module.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2700 2196 file (6).exe 31 PID 2196 wrote to memory of 2700 2196 file (6).exe 31 PID 2196 wrote to memory of 2700 2196 file (6).exe 31 PID 2196 wrote to memory of 2700 2196 file (6).exe 31 PID 2196 wrote to memory of 2772 2196 file (6).exe 33 PID 2196 wrote to memory of 2772 2196 file (6).exe 33 PID 2196 wrote to memory of 2772 2196 file (6).exe 33 PID 2196 wrote to memory of 2772 2196 file (6).exe 33 PID 2196 wrote to memory of 2944 2196 file (6).exe 34 PID 2196 wrote to memory of 2944 2196 file (6).exe 34 PID 2196 wrote to memory of 2944 2196 file (6).exe 34 PID 2196 wrote to memory of 2944 2196 file (6).exe 34 PID 2204 wrote to memory of 2140 2204 module.exe 38 PID 2204 wrote to memory of 2140 2204 module.exe 38 PID 2204 wrote to memory of 2140 2204 module.exe 38 PID 2204 wrote to memory of 2140 2204 module.exe 38 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System module.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System module.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (6).exe"C:\Users\Admin\AppData\Local\Temp\file (6).exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2700
-
-
C:\ProgramData\Media\module.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 3282⤵
- Program crash
PID:2944
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888
-
C:\ProgramData\Media\module.exe"C:\ProgramData\Media\module.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM taskmgr.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD5d10f631a08d4953930bdd79bc3ddd009
SHA18309a6decb6f6c8f8a2e2eea80fde3464e6aaf00
SHA256047d32c8b8314c8b1fa11504d53ac22fa6c7f2b2e0088c0c7523e28214a78c4e
SHA51299bd26c3450b197eb84f2ca8ad31d5b26bd9469aba83f795a01237833115522d5c96136e54ec0038ab4120e30269a13fca9f4e042ee695a34eb17d19489bf7ae
-
Filesize
157KB
MD5438580ccbffdc97ad5b9f09a213c3e8f
SHA10437c2003974a979ecc4170544f2f863c7dafd12
SHA256f77ef2ace574ee9a7d758ef00f7df14c940381625b12a4b65e5e292d1ef34b1c
SHA512a8214216662cc7323b3ab0aec016647581ff2ca68edeab9bf340c7befb088f501d7d592f901eea48211681bcf5f90fc74293b940152f32e1be6555f55dd4dbd8