Overview
overview
10Static
static
10FD4DC9B2BF...4B.exe
windows7-x64
1FD4DC9B2BF...4B.exe
windows10-2004-x64
1Flyper.exe
windows7-x64
1Flyper.exe
windows10-2004-x64
1Flyper2.exe
windows7-x64
1Flyper2.exe
windows10-2004-x64
1Flyper3.exe
windows7-x64
1Flyper3.exe
windows10-2004-x64
1Free YouTu...er.exe
windows7-x64
3Free YouTu...er.exe
windows10-2004-x64
3FreeYoutub...16.exe
windows7-x64
7FreeYoutub...16.exe
windows10-2004-x64
7file (1).exe
windows7-x64
10file (1).exe
windows10-2004-x64
10file (2).exe
windows7-x64
6file (2).exe
windows10-2004-x64
10file (3).exe
windows7-x64
10file (3).exe
windows10-2004-x64
10file (4).exe
windows7-x64
10file (4).exe
windows10-2004-x64
10file (6).exe
windows7-x64
10file (6).exe
windows10-2004-x64
10file (7).exe
windows7-x64
1file (7).exe
windows10-2004-x64
3file.exe
windows7-x64
5file.exe
windows10-2004-x64
5file_ (1).exe
windows7-x64
7file_ (1).exe
windows10-2004-x64
7file_ (2).exe
windows7-x64
7file_ (2).exe
windows10-2004-x64
7file_ (3).exe
windows7-x64
7file_ (3).exe
windows10-2004-x64
7Analysis
-
max time kernel
95s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:43
Behavioral task
behavioral1
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Flyper.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Flyper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Flyper2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Flyper2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Flyper3.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Flyper3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Free YouTube Downloader.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Free YouTube Downloader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
FreeYoutubeDownloader11012016.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
FreeYoutubeDownloader11012016.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
file (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
file (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
file (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
file (3).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
file (3).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
file (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
file (4).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
file (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
file (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
file (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
file (7).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
file.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
file_ (1).exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
file_ (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
file_ (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
file_ (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
file_ (3).exe
Resource
win7-20241023-en
General
-
Target
file (6).exe
-
Size
157KB
-
MD5
438580ccbffdc97ad5b9f09a213c3e8f
-
SHA1
0437c2003974a979ecc4170544f2f863c7dafd12
-
SHA256
f77ef2ace574ee9a7d758ef00f7df14c940381625b12a4b65e5e292d1ef34b1c
-
SHA512
a8214216662cc7323b3ab0aec016647581ff2ca68edeab9bf340c7befb088f501d7d592f901eea48211681bcf5f90fc74293b940152f32e1be6555f55dd4dbd8
-
SSDEEP
3072:0t6Gtx/jjOtP8JV4Y1aaH67pnMK/MdyGwsNYFfP:0thut0JV3fOMdE
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 module.exe -
Loads dropped DLL 1 IoCs
pid Process 2216 file (6).exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\module.exe" file (6).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA module.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\ProgramData\Media\module.exe:Zone.Identifier cmd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2696 2216 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file (6).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language module.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\ProgramData\Media\module.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 file (6).exe 2216 file (6).exe 2216 file (6).exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe 2764 module.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2764 module.exe 2764 module.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2652 2216 file (6).exe 30 PID 2216 wrote to memory of 2652 2216 file (6).exe 30 PID 2216 wrote to memory of 2652 2216 file (6).exe 30 PID 2216 wrote to memory of 2652 2216 file (6).exe 30 PID 2216 wrote to memory of 2764 2216 file (6).exe 32 PID 2216 wrote to memory of 2764 2216 file (6).exe 32 PID 2216 wrote to memory of 2764 2216 file (6).exe 32 PID 2216 wrote to memory of 2764 2216 file (6).exe 32 PID 2216 wrote to memory of 2696 2216 file (6).exe 33 PID 2216 wrote to memory of 2696 2216 file (6).exe 33 PID 2216 wrote to memory of 2696 2216 file (6).exe 33 PID 2216 wrote to memory of 2696 2216 file (6).exe 33 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System module.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" module.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (6).exe"C:\Users\Admin\AppData\Local\Temp\file (6).exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2652
-
-
C:\ProgramData\Media\module.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 3282⤵
- Program crash
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
77B
MD5d10f631a08d4953930bdd79bc3ddd009
SHA18309a6decb6f6c8f8a2e2eea80fde3464e6aaf00
SHA256047d32c8b8314c8b1fa11504d53ac22fa6c7f2b2e0088c0c7523e28214a78c4e
SHA51299bd26c3450b197eb84f2ca8ad31d5b26bd9469aba83f795a01237833115522d5c96136e54ec0038ab4120e30269a13fca9f4e042ee695a34eb17d19489bf7ae
-
Filesize
157KB
MD5438580ccbffdc97ad5b9f09a213c3e8f
SHA10437c2003974a979ecc4170544f2f863c7dafd12
SHA256f77ef2ace574ee9a7d758ef00f7df14c940381625b12a4b65e5e292d1ef34b1c
SHA512a8214216662cc7323b3ab0aec016647581ff2ca68edeab9bf340c7befb088f501d7d592f901eea48211681bcf5f90fc74293b940152f32e1be6555f55dd4dbd8