Overview

overview

8

Static

static

3

Flarenew.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    105s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flarenew.exe

  • Size

    91KB

  • MD5

    cc62e07613c3d5a64deeec263f90203f

  • SHA1

    29b3b3a3dd3b9fc29557b1f143c9a8ff8e0f803b

  • SHA256

    25b5c5c60d60808e953ac7a931839fc5807233532e90e47b950c3aad0f3ed03a

  • SHA512

    bab0d67020aedf4cfa1571a970ad2ae2e959e625f9d527abab3ab346da12875ce8e5e753b5913946d5766f03aafd19e93caa4db3975c4facb21602473ae55fd2

  • SSDEEP

    1536:D7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwgOU:f7DhdC6kzWypvaQ0FxyNTBfPV

Score
8/10
defense_evasiondiscoveryexploitpersistence

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
    exploit
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Modifies file permissions 1 TTPs 16 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Flarenew.exe
    "C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5352
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5748.tmp\5749.tmp\574A.bat C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\system32\msg.exe
        msg * "Fatal Error: Something unusual has occured. Maybe try restarting your PC?"
        3⤵
          PID:1564
        • C:\Windows\system32\net.exe
          net session
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5700
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 session
            4⤵
              PID:1640
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im taskmgr.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2252
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32\taskmgr.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:5792
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\taskmgr.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:5728
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4728
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\taskmgr.exe /grant administrators:F
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4584
          • C:\Windows\system32\attrib.exe
            attrib +s +h +r "C:\Windows\System32\flare.bat"
            3⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:4540
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4600
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4676
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4712
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
            3⤵
            • Adds Run key to start application
            PID:4616
          • C:\Windows\system32\cmd.exe
            cmd.exe
            3⤵
              PID:4824
            • C:\Windows\system32\notepad.exe
              notepad "C:\Users\Admin\Desktop\flare_warning.txt"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:4892
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\CON" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4672
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\PRN" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4624
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\AUX" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4752
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\NUL" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4792
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM1" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4776
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM2" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5000
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM3" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4760
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\LPT1" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4936
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\LPT2" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4844
            • C:\Windows\system32\attrib.exe
              attrib +s +h "C:\Users\Admin\Desktop\LPT2"
              3⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:4856
            • C:\Windows\system32\notepad.exe
              notepad "C:\Users\Admin\Desktop\LPT2\lockfile.txt"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:4884

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\5748.tmp\5749.tmp\574A.bat
          Filesize

          2KB

          MD5

          9bf685d695cc287fa76bfe8a36a89f3c

          SHA1

          4bd1ecdbf5fcaf953dde07991556c6fc18c66b4a

          SHA256

          e93b6dee509f64a3cf0b0b028e0ddffd3274c92f7657ca72e58cbeafb0c8eda8

          SHA512

          698401d4f2ba37df5a9139efbcd7a819874fd9d4e14b1a204cd3801b95a7c972d41040535211a3ab6932641cdd2aeecbbbae355d92fbe86b6815be9b26f3484f

          Download Submit

        • C:\Users\Admin\Desktop\LPT2\lockfile.txt
          Filesize

          16B

          MD5

          35519859078faf1bb9ff9aa6d97e02f7

          SHA1

          f62fa3cba186ac4fc65321e5b24f3b3c6713e168

          SHA256

          c76a191235beca08d9290c53f8832be67b1b9671269674ece289e3162157d2b1

          SHA512

          674ed9c45e4070cd2de21e7a74fe8327ad3db7234a306988fd579e126f6c37ce5a39fa45cbf2da818c81bf7dfcf160f4f993f9fb3d3a85a1530101564ced9df9

          Download Submit

        • C:\Users\Admin\Desktop\flare_warning.txt
          Filesize

          85B

          MD5

          06f0a7e183c60d2d25359f8805ac79c8

          SHA1

          88dcb58b0342aaa5d26fbcc4f331980280d8788e

          SHA256

          c4ee6d94b5725af6c1ed91eb62fc34db9be62aca661976a5c24bdbb3db24e1d6

          SHA512

          ee60f735fcee65e0c76a9240b660bb850f285900d5229dcf102d244e14248b24f5f102523efee659f4de6ac339fa1f554e36a712bd3209a4f3ab1897a63314b3

          Download Submit

        • C:\Windows\System32\flare.bat
          Filesize

          91KB

          MD5

          cc62e07613c3d5a64deeec263f90203f

          SHA1

          29b3b3a3dd3b9fc29557b1f143c9a8ff8e0f803b

          SHA256

          25b5c5c60d60808e953ac7a931839fc5807233532e90e47b950c3aad0f3ed03a

          SHA512

          bab0d67020aedf4cfa1571a970ad2ae2e959e625f9d527abab3ab346da12875ce8e5e753b5913946d5766f03aafd19e93caa4db3975c4facb21602473ae55fd2

          Download Submit