7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497

Analysis

max time kernel
123s
max time network
129s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FastAimX64.exe
Size

36.9MB
MD5

132db3303d3b0cfbc12a578688c581fd
SHA1

198d5010e04c9ad0670c7a54a942cf4eba416aee
SHA256

7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
SHA512

f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
SSDEEP

786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2120 powershell.exe

pid	process
2120	powershell.exe

Drops file in Program Files directory 6 IoCs

Processes:

FastAimX64.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\MyApp\blx.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe	FastAimX64.exe
File opened for modification	C:\Program Files (x86)\MyApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\MyApp\install_python.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\install.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\creal.exe	FastAimX64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2120 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2120 powershell.exe

pid	process
2120	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

FastAimX64.execmd.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 3064	1784	FastAimX64.exe	cmd.exe
PID 3064 wrote to memory of 2348	3064	cmd.exe	cmd.exe
PID 3064 wrote to memory of 2348	3064	cmd.exe	cmd.exe
PID 3064 wrote to memory of 2348	3064	cmd.exe	cmd.exe
PID 3064 wrote to memory of 2348	3064	cmd.exe	cmd.exe
PID 2348 wrote to memory of 2120	2348	cmd.exe	powershell.exe
PID 2348 wrote to memory of 2120	2348	cmd.exe	powershell.exe
PID 2348 wrote to memory of 2120	2348	cmd.exe	powershell.exe
PID 2348 wrote to memory of 2120	2348	cmd.exe	powershell.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe
PID 1784 wrote to memory of 2644	1784	FastAimX64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install_python.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install.bat""
2⤵
PID:2644

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MyApp\install.bat
Filesize
527B

MD5
c8774911b9bddd3fccb91264d715c7ba

SHA1
132c223574d1d947ef259238ffc3820ddb525492

SHA256
a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350

SHA512
9bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d

Download Submit
C:\Program Files (x86)\MyApp\install_python.bat
Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit