Overview

overview

8

Static

static

3

Flarenew.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    83s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flarenew.exe

  • Size

    91KB

  • MD5

    cc781da6668d36fd69268355a98acfcc

  • SHA1

    e517879b4017a82cb229ae8c3696e9c574b0e351

  • SHA256

    8ad988358df106e54c497704f229ca6ce1092d6fc4632b2fb6b9fe300a3d7b18

  • SHA512

    524967733b621ec16e29164c7000b0e1173e45423036d162edff6ade349da265aaf46bd12052aee53271df48f7242c6956a5c004d53d7274b8d93618ab508166

  • SSDEEP

    1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwt8O4:L7DhdC6kzWypvaQ0FxyNTBfAWY

Score
8/10
defense_evasiondiscoveryexploitpersistence

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
    exploit
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Drops startup file 5 IoCs
  • Modifies file permissions 1 TTPs 16 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Flarenew.exe
    "C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:6088
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8FCC.tmp\8FDD.tmp\8FDE.bat C:\Users\Admin\AppData\Local\Temp\Flarenew.exe"
      2⤵
      • Drops startup file
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\system32\msg.exe
        msg * "Fatal Error: Something unusual has occured. Maybe try restarting your PC?"
        3⤵
          PID:3272
        • C:\Windows\system32\net.exe
          net session
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5336
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 session
            4⤵
              PID:5056
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im taskmgr.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5760
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\System32\taskmgr.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:100
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\taskmgr.exe
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4332
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\taskmgr.exe /grant administrators:F
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:3592
          • C:\Windows\system32\attrib.exe
            attrib +s +h +r "C:\Windows\System32\flare.bat"
            3⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:4020
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny Everyone:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:556
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny SYSTEM:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:468
          • C:\Windows\system32\icacls.exe
            icacls "C:\Windows\System32\flare.bat" /deny Administrators:(F)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:812
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security Update" /t REG_SZ /d "C:\Windows\System32\flare.bat" /f
            3⤵
            • Adds Run key to start application
            PID:4500
          • C:\Windows\system32\cmd.exe
            cmd.exe
            3⤵
              PID:4788
            • C:\Windows\system32\notepad.exe
              notepad "C:\Users\Admin\Desktop\flare_warning.txt"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:4856
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\CON" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4868
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\PRN" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4816
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\AUX" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4996
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\NUL" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4912
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM1" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5076
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM2" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5068
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\COM3" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4684
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\LPT1" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3732
            • C:\Windows\system32\icacls.exe
              icacls "C:\Users\Admin\Desktop\LPT2" /deny Everyone:(F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3876
            • C:\Windows\system32\attrib.exe
              attrib +s +h "C:\Users\Admin\Desktop\LPT2"
              3⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:4972
            • C:\Windows\system32\notepad.exe
              notepad "C:\Users\Admin\Desktop\LPT2\Fixes.txt"
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:2240
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:2884
          • C:\Windows\System32\NOTEPAD.EXE
            "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.bat
            1⤵
              PID:2648
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.bat" "
              1⤵
              • Drops startup file
              • Suspicious use of WriteProcessMemory
              PID:3220
              • C:\Windows\system32\wscript.exe
                wscript error.vbs
                2⤵
                • Suspicious use of FindShellTrayWindow
                PID:5436
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.bat" "
              1⤵
              • Drops startup file
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Windows\system32\wscript.exe
                wscript error.vbs
                2⤵
                  PID:1356
              • C:\Windows\system32\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\flare_warning.txt
                1⤵
                • Opens file in notepad (likely ransom note)
                PID:1548

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\8FCC.tmp\8FDD.tmp\8FDE.bat
                Filesize

                2KB

                MD5

                be3e09162aafb8ef522ff2a2611c9565

                SHA1

                a90dfea533846ba5dc652dc8f5a0ac9f6718ab54

                SHA256

                b376cc491088c2a36910e7bd798fff36468c9bf55eab75b36e4cedef65e0e402

                SHA512

                599986f1597d776490a146c916ff2d7dfa52fde3f645bf602034cfa3ab3684eac52d5c107b145dc3b07c5663ffa1d104a288a50ad18200a70e6c802d93e3fd20

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.bat
                Filesize

                237B

                MD5

                29871f22521d0ab5777e9dfc20fc9c55

                SHA1

                afe0417165c9011c338b416f4eaaddca0cf7fc52

                SHA256

                808a5b00ba85be2d7d6a2b23389b160ed0fa7635508c564af1bf8784a2edede6

                SHA512

                c90a432df0da718fdb8b2ae98c6675da113333d810ad91ca57150e24a5d104cca02f849d242a6c2a45dc48172be623a63f19a2c7aae421a2cf42bb08f302e888

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\error.vbs
                Filesize

                159B

                MD5

                84046e85ee39a8cd13b4a333c772ecee

                SHA1

                18c4ed2314a8964195aaa13142e18b666ad36b0b

                SHA256

                b030e4c6bf81e3ac3518c25df44f0eff58e2c01280a3342006e0682b7cbdb93b

                SHA512

                42a7290fade1fba89e0b708a990182840b9e379abf3850695b8c815f0d47ad265e5628bcfad3861d1eee5696cbfdab63e9e7327ad0de9e24c07e40eed71c3cc1

                Download Submit

              • C:\Users\Admin\Desktop\LPT2\Fixes.txt
                Filesize

                36B

                MD5

                9ea9c312f34cfeda8394b84c0dfd1fc9

                SHA1

                d587d14e675fa07820e4a3c513285b42831c90bf

                SHA256

                4bfc6d2ad894c24dcedc920096679c80c1dd4340528ba9a071cff8b9bf8ab9e7

                SHA512

                0ed43563d7e3492773d30abdad9199b5cb9fd49ffb32c0c0a9cc1471545991131644b81c61f70f0f062ee9ab5314005b7677982c8074696aa832b226cd32ca8d

                Download Submit

              • C:\Users\Admin\Desktop\flare_warning.txt
                Filesize

                85B

                MD5

                06f0a7e183c60d2d25359f8805ac79c8

                SHA1

                88dcb58b0342aaa5d26fbcc4f331980280d8788e

                SHA256

                c4ee6d94b5725af6c1ed91eb62fc34db9be62aca661976a5c24bdbb3db24e1d6

                SHA512

                ee60f735fcee65e0c76a9240b660bb850f285900d5229dcf102d244e14248b24f5f102523efee659f4de6ac339fa1f554e36a712bd3209a4f3ab1897a63314b3

                Download Submit

              • C:\Windows\System32\flare.bat
                Filesize

                91KB

                MD5

                cc781da6668d36fd69268355a98acfcc

                SHA1

                e517879b4017a82cb229ae8c3696e9c574b0e351

                SHA256

                8ad988358df106e54c497704f229ca6ce1092d6fc4632b2fb6b9fe300a3d7b18

                SHA512

                524967733b621ec16e29164c7000b0e1173e45423036d162edff6ade349da265aaf46bd12052aee53271df48f7242c6956a5c004d53d7274b8d93618ab508166

                Download Submit