Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
FastAimX64.exe
-
Size
36.9MB
-
MD5
132db3303d3b0cfbc12a578688c581fd
-
SHA1
198d5010e04c9ad0670c7a54a942cf4eba416aee
-
SHA256
7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
-
SHA512
f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
-
SSDEEP
786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 20 2708 powershell.exe -
Drops file in Program Files directory 6 IoCs
Processes:
FastAimX64.execurl.exedescription ioc process File created C:\Program Files (x86)\MyApp\install.bat FastAimX64.exe File created C:\Program Files (x86)\MyApp\creal.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\blx.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\python-installer.exe curl.exe File created C:\Program Files (x86)\MyApp\install_python.bat FastAimX64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5064 2708 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2708 powershell.exe 2708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
FastAimX64.execmd.execmd.exedescription pid process target process PID 1064 wrote to memory of 4124 1064 FastAimX64.exe cmd.exe PID 1064 wrote to memory of 4124 1064 FastAimX64.exe cmd.exe PID 1064 wrote to memory of 4124 1064 FastAimX64.exe cmd.exe PID 4124 wrote to memory of 756 4124 cmd.exe cmd.exe PID 4124 wrote to memory of 756 4124 cmd.exe cmd.exe PID 4124 wrote to memory of 756 4124 cmd.exe cmd.exe PID 756 wrote to memory of 2708 756 cmd.exe powershell.exe PID 756 wrote to memory of 2708 756 cmd.exe powershell.exe PID 756 wrote to memory of 2708 756 cmd.exe powershell.exe PID 4124 wrote to memory of 2908 4124 cmd.exe curl.exe PID 4124 wrote to memory of 2908 4124 cmd.exe curl.exe PID 4124 wrote to memory of 2908 4124 cmd.exe curl.exe PID 1064 wrote to memory of 4200 1064 FastAimX64.exe cmd.exe PID 1064 wrote to memory of 4200 1064 FastAimX64.exe cmd.exe PID 1064 wrote to memory of 4200 1064 FastAimX64.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install_python.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 27765⤵
- Program crash
-
C:\Windows\SysWOW64\curl.execurl -L -o python-installer.exe https://www.python.org/ftp/python//python--amd64.exe3⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install.bat""2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2708 -ip 27081⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MyApp\install.batFilesize
527B
MD5c8774911b9bddd3fccb91264d715c7ba
SHA1132c223574d1d947ef259238ffc3820ddb525492
SHA256a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350
SHA5129bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d
-
C:\Program Files (x86)\MyApp\install_python.batFilesize
686B
MD5f30718a354e7cc104ea553ce5ae2d486
SHA13876134e6b92da57a49d868013ed35b5d946f8fd
SHA25694008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874
-
C:\Program Files (x86)\MyApp\python-installer.exeFilesize
146B
MD58eec510e57f5f732fd2cce73df7b73ef
SHA13c0af39ecb3753c5fee3b53d063c7286019eac3b
SHA25655f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0
SHA51273bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uvqiis5.nkc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2708-14-0x0000000004CF0000-0x0000000004D56000-memory.dmpFilesize
408KB
-
memory/2708-25-0x0000000005A80000-0x0000000005A9E000-memory.dmpFilesize
120KB
-
memory/2708-12-0x0000000004BE0000-0x0000000004C02000-memory.dmpFilesize
136KB
-
memory/2708-13-0x0000000004C80000-0x0000000004CE6000-memory.dmpFilesize
408KB
-
memory/2708-10-0x00000000741C0000-0x0000000074970000-memory.dmpFilesize
7.7MB
-
memory/2708-9-0x0000000004FA0000-0x00000000055C8000-memory.dmpFilesize
6.2MB
-
memory/2708-24-0x00000000055D0000-0x0000000005924000-memory.dmpFilesize
3.3MB
-
memory/2708-11-0x00000000741C0000-0x0000000074970000-memory.dmpFilesize
7.7MB
-
memory/2708-26-0x0000000005AC0000-0x0000000005B0C000-memory.dmpFilesize
304KB
-
memory/2708-27-0x00000000072D0000-0x000000000794A000-memory.dmpFilesize
6.5MB
-
memory/2708-28-0x0000000005F90000-0x0000000005FAA000-memory.dmpFilesize
104KB
-
memory/2708-29-0x00000000741C0000-0x0000000074970000-memory.dmpFilesize
7.7MB
-
memory/2708-8-0x0000000002150000-0x0000000002186000-memory.dmpFilesize
216KB
-
memory/2708-7-0x00000000741CE000-0x00000000741CF000-memory.dmpFilesize
4KB