7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497

Analysis

max time kernel
134s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FastAimX64.exe
Size

36.9MB
MD5

132db3303d3b0cfbc12a578688c581fd
SHA1

198d5010e04c9ad0670c7a54a942cf4eba416aee
SHA256

7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
SHA512

f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
SSDEEP

786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

20 2708 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2708 powershell.exe

flow	pid	process
20	2708	powershell.exe

pid	process
2708	powershell.exe

Drops file in Program Files directory 6 IoCs

Processes:

FastAimX64.execurl.exe

description	ioc	process
File created	C:\Program Files (x86)\MyApp\install.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\creal.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\blx.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\python-installer.exe	curl.exe
File created	C:\Program Files (x86)\MyApp\install_python.bat	FastAimX64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5064 2708 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2708 powershell.exe
2708 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2708 powershell.exe

pid	pid_target	process	target process
5064	2708	WerFault.exe	powershell.exe

pid	process
2708	powershell.exe
2708	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

FastAimX64.execmd.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 4124	1064	FastAimX64.exe	cmd.exe
PID 1064 wrote to memory of 4124	1064	FastAimX64.exe	cmd.exe
PID 1064 wrote to memory of 4124	1064	FastAimX64.exe	cmd.exe
PID 4124 wrote to memory of 756	4124	cmd.exe	cmd.exe
PID 4124 wrote to memory of 756	4124	cmd.exe	cmd.exe
PID 4124 wrote to memory of 756	4124	cmd.exe	cmd.exe
PID 756 wrote to memory of 2708	756	cmd.exe	powershell.exe
PID 756 wrote to memory of 2708	756	cmd.exe	powershell.exe
PID 756 wrote to memory of 2708	756	cmd.exe	powershell.exe
PID 4124 wrote to memory of 2908	4124	cmd.exe	curl.exe
PID 4124 wrote to memory of 2908	4124	cmd.exe	curl.exe
PID 4124 wrote to memory of 2908	4124	cmd.exe	curl.exe
PID 1064 wrote to memory of 4200	1064	FastAimX64.exe	cmd.exe
PID 1064 wrote to memory of 4200	1064	FastAimX64.exe	cmd.exe
PID 1064 wrote to memory of 4200	1064	FastAimX64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install_python.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 2776
5⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\curl.exe
curl -L -o python-installer.exe https://www.python.org/ftp/python//python--amd64.exe
3⤵
- Drops file in Program Files directory
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyApp\install.bat""
2⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2708 -ip 2708
1⤵
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MyApp\install.bat
Filesize
527B

MD5
c8774911b9bddd3fccb91264d715c7ba

SHA1
132c223574d1d947ef259238ffc3820ddb525492

SHA256
a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350

SHA512
9bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d

Download Submit
C:\Program Files (x86)\MyApp\install_python.bat
Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit
C:\Program Files (x86)\MyApp\python-installer.exe
Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uvqiis5.nkc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2708-14-0x0000000004CF0000-0x0000000004D56000-memory.dmp

Filesize
408KB

Download
memory/2708-25-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/2708-12-0x0000000004BE0000-0x0000000004C02000-memory.dmp

Filesize
136KB

Download
memory/2708-13-0x0000000004C80000-0x0000000004CE6000-memory.dmp

Filesize
408KB

Download
memory/2708-10-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/2708-9-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/2708-24-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/2708-11-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/2708-26-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/2708-27-0x00000000072D0000-0x000000000794A000-memory.dmp

Filesize
6.5MB

Download
memory/2708-28-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/2708-29-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/2708-8-0x0000000002150000-0x0000000002186000-memory.dmp

Filesize
216KB

Download
memory/2708-7-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download