a63ad17f9da3fb8cf9d4b8c8f6273daec8687e1341a51b21b6e6f6631ef0352f

Analysis

max time kernel
145s
max time network
135s
platform
windows10_x64
resource
win10v200430
submitted
14/07/2020, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlowerPower.exe
Size

5.8MB
MD5

78263df9cd49a86778936bbe067d321f
SHA1

af8b97cde7d3adad1afa14ae955df8390c0b586d
SHA256

a63ad17f9da3fb8cf9d4b8c8f6273daec8687e1341a51b21b6e6f6631ef0352f
SHA512

7be93824a3274a3a47f2848cf5691e0953e06f786dd874651f08ddf80e7e8705b3e684d3be4be5045a848a9517857446523cac9b836f8582d2c9124a0a4a361e

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1628	FlowerPower.exe
1628	FlowerPower.exe
3952	FlowerPower.exe
3952	FlowerPower.exe
3932	explorer.exe
3932	explorer.exe
2012	explorer.exe
2012	explorer.exe
1444	spoolsv.exe
1444	spoolsv.exe
2012	explorer.exe
2012	explorer.exe
1844	spoolsv.exe
1844	spoolsv.exe
2504	spoolsv.exe
2504	spoolsv.exe
3816	spoolsv.exe
3816	spoolsv.exe
3880	spoolsv.exe
3880	spoolsv.exe

Suspicious use of WriteProcessMemory 266 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1720	1628	FlowerPower.exe	68
PID 1628 wrote to memory of 1720	1628	FlowerPower.exe	68
PID 1628 wrote to memory of 1720	1628	FlowerPower.exe	68
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1628 wrote to memory of 1320	1628	FlowerPower.exe	70
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 3952	1320	FlowerPower.exe	75
PID 1320 wrote to memory of 2960	1320	FlowerPower.exe	76
PID 1320 wrote to memory of 2960	1320	FlowerPower.exe	76
PID 1320 wrote to memory of 2960	1320	FlowerPower.exe	76
PID 1320 wrote to memory of 2960	1320	FlowerPower.exe	76
PID 1320 wrote to memory of 2960	1320	FlowerPower.exe	76
PID 3952 wrote to memory of 3932	3952	FlowerPower.exe	77
PID 3952 wrote to memory of 3932	3952	FlowerPower.exe	77
PID 3952 wrote to memory of 3932	3952	FlowerPower.exe	77
PID 3932 wrote to memory of 4036	3932	explorer.exe	78
PID 3932 wrote to memory of 4036	3932	explorer.exe	78
PID 3932 wrote to memory of 4036	3932	explorer.exe	78
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 3932 wrote to memory of 4032	3932	explorer.exe	80
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 2012	4032	explorer.exe	81
PID 4032 wrote to memory of 3420	4032	explorer.exe	82
PID 4032 wrote to memory of 3420	4032	explorer.exe	82
PID 4032 wrote to memory of 3420	4032	explorer.exe	82
PID 4032 wrote to memory of 3420	4032	explorer.exe	82
PID 4032 wrote to memory of 3420	4032	explorer.exe	82
PID 2012 wrote to memory of 1444	2012	explorer.exe	83
PID 2012 wrote to memory of 1444	2012	explorer.exe	83
PID 2012 wrote to memory of 1444	2012	explorer.exe	83
PID 1444 wrote to memory of 1404	1444	spoolsv.exe	84
PID 1444 wrote to memory of 1404	1444	spoolsv.exe	84
PID 1444 wrote to memory of 1404	1444	spoolsv.exe	84
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 1444 wrote to memory of 1152	1444	spoolsv.exe	86
PID 2012 wrote to memory of 1844	2012	explorer.exe	88
PID 2012 wrote to memory of 1844	2012	explorer.exe	88
PID 2012 wrote to memory of 1844	2012	explorer.exe	88
PID 1844 wrote to memory of 1688	1844	spoolsv.exe	89
PID 1844 wrote to memory of 1688	1844	spoolsv.exe	89
PID 1844 wrote to memory of 1688	1844	spoolsv.exe	89
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 1844 wrote to memory of 1532	1844	spoolsv.exe	92
PID 2012 wrote to memory of 2504	2012	explorer.exe	93
PID 2012 wrote to memory of 2504	2012	explorer.exe	93
PID 2012 wrote to memory of 2504	2012	explorer.exe	93
PID 2504 wrote to memory of 548	2504	spoolsv.exe	94
PID 2504 wrote to memory of 548	2504	spoolsv.exe	94
PID 2504 wrote to memory of 548	2504	spoolsv.exe	94
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2504 wrote to memory of 1736	2504	spoolsv.exe	96
PID 2012 wrote to memory of 3816	2012	explorer.exe	97
PID 2012 wrote to memory of 3816	2012	explorer.exe	97
PID 2012 wrote to memory of 3816	2012	explorer.exe	97
PID 3816 wrote to memory of 2840	3816	spoolsv.exe	98
PID 3816 wrote to memory of 2840	3816	spoolsv.exe	98
PID 3816 wrote to memory of 2840	3816	spoolsv.exe	98
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 3816 wrote to memory of 3044	3816	spoolsv.exe	100
PID 2012 wrote to memory of 3880	2012	explorer.exe	101
PID 2012 wrote to memory of 3880	2012	explorer.exe	101
PID 2012 wrote to memory of 3880	2012	explorer.exe	101
PID 3880 wrote to memory of 4056	3880	spoolsv.exe	102
PID 3880 wrote to memory of 4056	3880	spoolsv.exe	102
PID 3880 wrote to memory of 4056	3880	spoolsv.exe	102
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104
PID 3880 wrote to memory of 3932	3880	spoolsv.exe	104

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1320	1628	FlowerPower.exe	70
PID 1320 set thread context of 3952	1320	FlowerPower.exe	75
PID 1320 set thread context of 2960	1320	FlowerPower.exe	76
PID 3932 set thread context of 4032	3932	explorer.exe	80
PID 4032 set thread context of 2012	4032	explorer.exe	81
PID 4032 set thread context of 3420	4032	explorer.exe	82
PID 1444 set thread context of 1152	1444	spoolsv.exe	86
PID 1844 set thread context of 1532	1844	spoolsv.exe	92
PID 2504 set thread context of 1736	2504	spoolsv.exe	96
PID 3816 set thread context of 3044	3816	spoolsv.exe	100
PID 3880 set thread context of 3932	3880	spoolsv.exe	104

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	FlowerPower.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1628	FlowerPower.exe
1628	FlowerPower.exe
3952	FlowerPower.exe
3952	FlowerPower.exe
3932	explorer.exe
3932	explorer.exe
1444	spoolsv.exe
1444	spoolsv.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
1844	spoolsv.exe
1844	spoolsv.exe
2012	explorer.exe
2012	explorer.exe
2504	spoolsv.exe
2504	spoolsv.exe
2012	explorer.exe
2012	explorer.exe
3816	spoolsv.exe
3816	spoolsv.exe
2012	explorer.exe
2012	explorer.exe
3880	spoolsv.exe
3880	spoolsv.exe

Executes dropped EXE 12 IoCs

pid	Process
3932	explorer.exe
4032	explorer.exe
2012	explorer.exe
1444	spoolsv.exe
1152	spoolsv.exe
1844	spoolsv.exe
1532	spoolsv.exe
2504	spoolsv.exe
1736	spoolsv.exe
3816	spoolsv.exe
3044	spoolsv.exe
3880	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Modifies the visibility of hidden or system files 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Adds Run entry to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	FlowerPower.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
"C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
  C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  - Adds Run entry to start application
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
    C:\Users\Admin\AppData\Local\Temp\FlowerPower.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3952
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:4036
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Suspicious use of SetThreadContext
        Executes dropped EXE
        Adds Run entry to start application
        
        PID:4032
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        Drops file in Windows directory
        Modifies WinLogon for persistence
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Modifies Installed Components in the registry
        Modifies the visibility of hidden or system files
        Adds Run entry to start application
        
        PID:2012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3420
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-57-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1320-1-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1320-5-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1320-4-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1532-68-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1736-79-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2012-74-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2012-53-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2012-52-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2012-51-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2012-75-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2012-49-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2012-84-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2012-86-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2012-63-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2012-64-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2960-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2960-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3044-91-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3952-16-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/3952-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-15-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/3952-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-27-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download