9e1c62eb882475a97643802f9b4ee456837abff20b9c23b7805504b6fa99b5e6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fall.exe
Size

903KB
MD5

b86a2a0af835000d484d496fec1d5ffc
SHA1

dfe20835aba1f39c124d540e925c67cc02910200
SHA256

9e1c62eb882475a97643802f9b4ee456837abff20b9c23b7805504b6fa99b5e6
SHA512

bc79a3c5ef97951c1c7a16ba875a253cbef6750ccc3ba03fe46bdf2a066ed9d95917e77834c636d440a655403de7861dd66082f0fdb1317c70141e45b59609d3
SSDEEP

12288:K8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawflBa2Ley+trZNrI0AilFEvxHvBg:r3s4MROxnFCay6rZlI0AilFEvxHiGU

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3024	fall.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fall.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fall.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fall.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fall.exe
File opened for modification	C:\Windows\assembly	fall.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1684	WINWORD.EXE
1684	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	fall.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	fall.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3024	fall.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1620	3024	fall.exe	83
PID 3024 wrote to memory of 1620	3024	fall.exe	83
PID 1620 wrote to memory of 4344	1620	csc.exe	85
PID 1620 wrote to memory of 4344	1620	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\fall.exe
"C:\Users\Admin\AppData\Local\Temp\fall.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vlybkrxm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC89D1.tmp"
    3⤵
    PID:4344

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResolveAdd.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89D2.tmp

Filesize
1KB

MD5
54da8995b9e3c20ad0e0b6f83c41b4e2

SHA1
16c73efec9894f1a95c42e42ab5dc3d7239acbf1

SHA256
4b73c19e1d22bc624895671207260bcc3ab09cdf088c33fbbb84009630d676a1

SHA512
00a5d6e45f682ce8f702f1ae6360bde8510d98085cf991323056c5ea067a6fc81f22ce1ce306071dda58e0f0e091d32499b56f048803c488357c7606528d5852

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD52D9.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlybkrxm.dll

Filesize
76KB

MD5
662c6cc3c6cf7ffce55d5427afeaa2fb

SHA1
a11e5e58b2e1585f1fa2f8a50007e295357fae8b

SHA256
1b1565c89f97b446739b38d4b802f87b2796f604787801ca940cd1283eab7827

SHA512
a9b4f75f6173ff2dfcf5441ad6831d16179dab4e6cedb4d786a5d5bea7bbfad234d707903e4783e92fcd69d73f0b8a336d6439515516304c1b93acb8b55fc39e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
270B

MD5
ce5e7f875f4a907f8aa5387676f04919

SHA1
9f37029d970ad39409af0c6d7e7f187823b47a8e

SHA256
506fecd7529aef4f8041f3fe98a2180fac5b2616eaeb21684a0fc04d414c0b49

SHA512
c818dcd1fe061708fccee16943de3ad3c52804b5b23d1eaf236136e9494f3fd3ede43265807a0227cc9d7e9368cb6d7e34035b41a40525944d95c3fcb33b7677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6ba365882a8518d42168e98754ae6291

SHA1
ad9405ef49358ee8dde4f6f1365f85036ad1eba8

SHA256
617633a0b851002e0ff6fc28e26dc5111f8a2274d81b02180e5f8ef22841a032

SHA512
781dfc47f35d9223d47a71718d79919568492d8bc457ed97050c76fb7ebb6a224ad482014a9e1d8be113ba97cddfff351373ae83003599000e228e0e10dc8e67

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\lib_3ceb2ea3bf8f49ab8809c1a37d3b9ee2\x64\turbojpeg.dll

Filesize
662KB

MD5
b36cc7f7c7148a783fbed3493bc27954

SHA1
44b39651949a00cf2a5cbba74c3210b980ae81b4

SHA256
c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38

SHA512
c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC89D1.tmp

Filesize
676B

MD5
95306a919e0047a18b59cfacd4f1a057

SHA1
f4c944c80df8a6ae5767dbcd24d30310f03d0974

SHA256
66ce47adaa6018845c7665312390bf1c88d1ecb9027e3e94a329094236213055

SHA512
255438ee9b8431558b1ca50703eb571082fc4dcec14fa6c4162759cce5120b29f1c5476a4a5fac8394d6d1357e0ab4bb884274ad38651e406aecbdc8056779d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vlybkrxm.0.cs

Filesize
208KB

MD5
520cd0375773df05fc12f04a9b6cc8f3

SHA1
9e5c0a7e64f00c543fa5ea643bff1d93f7d651c0

SHA256
da06aac46e36562f421341c7001b572f544d0e9dde4458ba399def9137207e99

SHA512
80993d6a473e61bec8096d6c8b996bfa085408077ad49418a111c6573dae92feff70199804b7274093d0c3b20a535c539e8c991ef2ee29b78858e94632038676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vlybkrxm.cmdline

Filesize
349B

MD5
1afe58f013e7d89f158da65e10d00c21

SHA1
03f29c59be8a639051244ec6dfe6fcfecf7c9464

SHA256
62a61e70e2fa83a8d43d6963440860164d8e2afe29a08ec773d47a7e69218c69

SHA512
72c91bc55abeb05c654dd497f5d8aecc85389cc9b644344d23ebba5cadbafffb55ab903cc28bd11dea0e89f09b57ab759a9927f710f8457e6e753d561ca45fe8

Download Submit
memory/1620-21-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/1620-14-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/1684-80-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

Filesize
64KB

Download
memory/1684-81-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

Filesize
64KB

Download
memory/1684-82-0x00007FFC4A400000-0x00007FFC4A410000-memory.dmp

Filesize
64KB

Download
memory/1684-79-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

Filesize
64KB

Download
memory/1684-77-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

Filesize
64KB

Download
memory/1684-78-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

Filesize
64KB

Download
memory/1684-76-0x00007FFC4C9B0000-0x00007FFC4C9C0000-memory.dmp

Filesize
64KB

Download
memory/3024-38-0x000000001E100000-0x000000001E149000-memory.dmp

Filesize
292KB

Download
memory/3024-52-0x000000001DB10000-0x000000001DB5A000-memory.dmp

Filesize
296KB

Download
memory/3024-32-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-33-0x000000001DE30000-0x000000001DE92000-memory.dmp

Filesize
392KB

Download
memory/3024-34-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-35-0x000000001EB30000-0x000000001F0EA000-memory.dmp

Filesize
5.7MB

Download
memory/3024-36-0x000000001F0F0000-0x000000001F1E0000-memory.dmp

Filesize
960KB

Download
memory/3024-37-0x000000001DFC0000-0x000000001DFDE000-memory.dmp

Filesize
120KB

Download
memory/3024-0-0x00007FFC6E965000-0x00007FFC6E966000-memory.dmp

Filesize
4KB

Download
memory/3024-39-0x000000001F2A0000-0x000000001F310000-memory.dmp

Filesize
448KB

Download
memory/3024-40-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-41-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-42-0x000000001F5C0000-0x000000001F6FC000-memory.dmp

Filesize
1.2MB

Download
memory/3024-43-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-44-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-45-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-47-0x000000001DA70000-0x000000001DAB4000-memory.dmp

Filesize
272KB

Download
memory/3024-31-0x00007FFC6E965000-0x00007FFC6E966000-memory.dmp

Filesize
4KB

Download
memory/3024-57-0x000000001F410000-0x000000001F46A000-memory.dmp

Filesize
360KB

Download
memory/3024-62-0x000000001DFE0000-0x000000001E006000-memory.dmp

Filesize
152KB

Download
memory/3024-67-0x000000001FC60000-0x000000001FDB4000-memory.dmp

Filesize
1.3MB

Download
memory/3024-71-0x0000000020000000-0x0000000020136000-memory.dmp

Filesize
1.2MB

Download
memory/3024-72-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-28-0x00000000017D0000-0x00000000017D8000-memory.dmp

Filesize
32KB

Download
memory/3024-27-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/3024-26-0x000000001D010000-0x000000001D028000-memory.dmp

Filesize
96KB

Download
memory/3024-25-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/3024-23-0x000000001CFE0000-0x000000001CFF6000-memory.dmp

Filesize
88KB

Download
memory/3024-8-0x000000001C950000-0x000000001C9EC000-memory.dmp

Filesize
624KB

Download
memory/3024-7-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download
memory/3024-6-0x000000001C3E0000-0x000000001C8AE000-memory.dmp

Filesize
4.8MB

Download
memory/3024-5-0x000000001BEC0000-0x000000001BECE000-memory.dmp

Filesize
56KB

Download
memory/3024-2-0x000000001BCE0000-0x000000001BD3C000-memory.dmp

Filesize
368KB

Download
memory/3024-1-0x00007FFC6E6B0000-0x00007FFC6F051000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads