7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FastAimX64.exe
Size

36.9MB
MD5

132db3303d3b0cfbc12a578688c581fd
SHA1

198d5010e04c9ad0670c7a54a942cf4eba416aee
SHA256

7e190e48165cf7c72173ce84e0f0b164fbe794d3e45069408055ba7496da1497
SHA512

f2c2568745a46920453ba6b500e02e078bc4fc45264dbb3df8451b38524f2765465a4cdc6a70b61dce554c1d3b41c44b32934d9a1f8a87109a0223ae1af7ae57
SSDEEP

786432:FYpCWvC8TK4HxoCoZjzlBeTV+WreWniTuzVVqGlQdEon/x3Ol5IPEWz:FhWvC8wrJBmV1eWniTmVV9lcLx3u5I8M

Score

8^/10

execution pyinstaller

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2680 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

creal.execreal.exe

pid process

2572 creal.exe
2340 creal.exe
1264
Loads dropped DLL 3 IoCs

Processes:

FastAimX64.execreal.exe

pid process

2336 FastAimX64.exe
2340 creal.exe
1264

pid	process
2680	powershell.exe

pid	process
2572	creal.exe
2340	creal.exe
1264

pid	process
2336	FastAimX64.exe
2340	creal.exe
1264

Drops file in Program Files directory 6 IoCs

Processes:

FastAimX64.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\MyApp\creal.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\blx.exe	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\Automatic_converter_rff_to_mp4.exe	FastAimX64.exe
File opened for modification	C:\Program Files (x86)\MyApp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\MyApp\install_python.bat	FastAimX64.exe
File created	C:\Program Files (x86)\MyApp\install.bat	FastAimX64.exe

Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

\Program Files (x86)\MyApp\creal.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2680 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

creal.exeFastAimX64.exe

pid process

2340 creal.exe
2336 FastAimX64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2680 powershell.exe

resource	yara_rule
\Program Files (x86)\MyApp\creal.exe	pyinstaller

pid	process
2680	powershell.exe

pid	process
2340	creal.exe
2336	FastAimX64.exe

description	pid	process
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

FastAimX64.execmd.execmd.execreal.exe

description	pid	process	target process
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2276	2336	FastAimX64.exe	cmd.exe
PID 2276 wrote to memory of 2644	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2644	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2644	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2644	2276	cmd.exe	cmd.exe
PID 2644 wrote to memory of 2680	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2680	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2680	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2680	2644	cmd.exe	powershell.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2596	2336	FastAimX64.exe	cmd.exe
PID 2336 wrote to memory of 2572	2336	FastAimX64.exe	creal.exe
PID 2336 wrote to memory of 2572	2336	FastAimX64.exe	creal.exe
PID 2336 wrote to memory of 2572	2336	FastAimX64.exe	creal.exe
PID 2336 wrote to memory of 2572	2336	FastAimX64.exe	creal.exe
PID 2572 wrote to memory of 2340	2572	creal.exe	creal.exe
PID 2572 wrote to memory of 2340	2572	creal.exe	creal.exe
PID 2572 wrote to memory of 2340	2572	creal.exe	creal.exe

C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe
"C:\Users\Admin\AppData\Local\Temp\FastAimX64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install_python.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\MyApp\install.bat""
2⤵
PID:2596

C:\Program Files (x86)\MyApp\creal.exe
"C:\Program Files (x86)\MyApp\creal.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572

C:\Program Files (x86)\MyApp\creal.exe
"C:\Program Files (x86)\MyApp\creal.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2340

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MyApp\install.bat
Filesize
527B

MD5
c8774911b9bddd3fccb91264d715c7ba

SHA1
132c223574d1d947ef259238ffc3820ddb525492

SHA256
a67aeedd2738732a462eb4fb998d1f937aebd1fdc68072539a4774c0a5af1350

SHA512
9bb3ae0d4762c1aee9c5d0b67702854a51d75a3a28ab8eed41c4b62006d6e3168ef80dcfac8167113f22760f7309d45e0277081f6b2a22a31dbc3102216f781d

Download Submit
C:\Program Files (x86)\MyApp\install_python.bat
Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25722\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
\Program Files (x86)\MyApp\creal.exe
Filesize
17.2MB

MD5
21ee505b3ca7bd7d78ac55710bbb6a4a

SHA1
d179baa8db01ad92fdd0dc52c558649ac7792676

SHA256
1621a732878983334a99ecd1a317f87c3750c65b47d18691d1055b2f213e8b0e

SHA512
701203c2e43cd8ecb046636bfe349ed26e4886cd3f36998467de88450c1bcdad3aa0acb540ba26e046f6d2cec2cf76ab1c9341b0b68d322f30d0b1c5b98bbf28

Download Submit