Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
FastAimX64.exe
-
Size
36.9MB
-
MD5
132db3303d3b0cfbc12a578688c581fd
-
SHA1
198d5010e04c9ad0670c7a54a942cf4eba416aee
-
SHA256
7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
-
SHA512
f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
-
SSDEEP
786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
creal.execreal.exepid process 2572 creal.exe 2340 creal.exe 1264 -
Loads dropped DLL 3 IoCs
Processes:
FastAimX64.execreal.exepid process 2336 FastAimX64.exe 2340 creal.exe 1264 -
Drops file in Program Files directory 6 IoCs
Processes:
FastAimX64.exepowershell.exedescription ioc process File created C:\Program Files (x86)\MyApp\creal.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\blx.exe FastAimX64.exe File created C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe FastAimX64.exe File opened for modification C:\Program Files (x86)\MyApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Program Files (x86)\MyApp\install_python.bat FastAimX64.exe File created C:\Program Files (x86)\MyApp\install.bat FastAimX64.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Program Files (x86)\MyApp\creal.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2680 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
creal.exeFastAimX64.exepid process 2340 creal.exe 2336 FastAimX64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2680 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
FastAimX64.execmd.execmd.execreal.exedescription pid process target process PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2276 2336 FastAimX64.exe cmd.exe PID 2276 wrote to memory of 2644 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 2644 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 2644 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 2644 2276 cmd.exe cmd.exe PID 2644 wrote to memory of 2680 2644 cmd.exe powershell.exe PID 2644 wrote to memory of 2680 2644 cmd.exe powershell.exe PID 2644 wrote to memory of 2680 2644 cmd.exe powershell.exe PID 2644 wrote to memory of 2680 2644 cmd.exe powershell.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2596 2336 FastAimX64.exe cmd.exe PID 2336 wrote to memory of 2572 2336 FastAimX64.exe creal.exe PID 2336 wrote to memory of 2572 2336 FastAimX64.exe creal.exe PID 2336 wrote to memory of 2572 2336 FastAimX64.exe creal.exe PID 2336 wrote to memory of 2572 2336 FastAimX64.exe creal.exe PID 2572 wrote to memory of 2340 2572 creal.exe creal.exe PID 2572 wrote to memory of 2340 2572 creal.exe creal.exe PID 2572 wrote to memory of 2340 2572 creal.exe creal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MyApp\install_python.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\MyApp\install.bat""2⤵
-
C:\Program Files (x86)\MyApp\creal.exe"C:\Program Files (x86)\MyApp\creal.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\MyApp\creal.exe"C:\Program Files (x86)\MyApp\creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\MyApp\install.batFilesize
527B
MD5c8774911b9bddd3fccb91264d715c7ba
SHA1132c223574d1d947ef259238ffc3820ddb525492
SHA256a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350
SHA5129bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d
-
C:\Program Files (x86)\MyApp\install_python.batFilesize
686B
MD5f30718a354e7cc104ea553ce5ae2d486
SHA13876134e6b92da57a49d868013ed35b5d946f8fd
SHA25694008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874
-
C:\Users\Admin\AppData\Local\Temp\_MEI25722\python310.dllFilesize
4.3MB
MD5deaf0c0cc3369363b800d2e8e756a402
SHA13085778735dd8badad4e39df688139f4eed5f954
SHA256156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA5125cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989
-
\Program Files (x86)\MyApp\creal.exeFilesize
17.2MB
MD521ee505b3ca7bd7d78ac55710bbb6a4a
SHA1d179baa8db01ad92fdd0dc52c558649ac7792676
SHA2561621a732878983334a99ecd1a317f87c3750c65b47d18691d1055b2f213e8b0e
SHA512701203c2e43cd8ecb046636bfe349ed26e4886cd3f36998467de88450c1bcdad3aa0acb540ba26e046f6d2cec2cf76ab1c9341b0b68d322f30d0b1c5b98bbf28