Analysis
-
max time kernel
123s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
FastAimX64.exe
-
Size
36.9MB
-
MD5
132db3303d3b0cfbc12a578688c581fd
-
SHA1
198d5010e04c9ad0670c7a54a942cf4eba416aee
-
SHA256
7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
-
SHA512
f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
-
SSDEEP
786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M
Malware Config
Signatures
-
Drops file in Program Files directory 6 IoCs
Processes:
FastAimX64.exepowershell.exedescription ioc process File created C:\Program Files (x86)\MyApp\blx.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe FastAimX64.exe File opened for modification C:\Program Files (x86)\MyApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Program Files (x86)\MyApp\install_python.bat FastAimX64.exe File created C:\Program Files (x86)\MyApp\install.bat FastAimX64.exe File created C:\Program Files (x86)\MyApp\creal.exe FastAimX64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2120 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2120 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
FastAimX64.execmd.execmd.exedescription pid process target process PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 3064 1784 FastAimX64.exe cmd.exe PID 3064 wrote to memory of 2348 3064 cmd.exe cmd.exe PID 3064 wrote to memory of 2348 3064 cmd.exe cmd.exe PID 3064 wrote to memory of 2348 3064 cmd.exe cmd.exe PID 3064 wrote to memory of 2348 3064 cmd.exe cmd.exe PID 2348 wrote to memory of 2120 2348 cmd.exe powershell.exe PID 2348 wrote to memory of 2120 2348 cmd.exe powershell.exe PID 2348 wrote to memory of 2120 2348 cmd.exe powershell.exe PID 2348 wrote to memory of 2120 2348 cmd.exe powershell.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe PID 1784 wrote to memory of 2644 1784 FastAimX64.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MyApp\install_python.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MyApp\install.bat""2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MyApp\install.batFilesize
527B
MD5c8774911b9bddd3fccb91264d715c7ba
SHA1132c223574d1d947ef259238ffc3820ddb525492
SHA256a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350
SHA5129bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d
-
C:\Program Files (x86)\MyApp\install_python.batFilesize
686B
MD5f30718a354e7cc104ea553ce5ae2d486
SHA13876134e6b92da57a49d868013ed35b5d946f8fd
SHA25694008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874