Analysis
-
max time kernel
176s -
max time network
178s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08/11/2021, 14:53
Static task
static1
Behavioral task
behavioral1
Sample
flowey.exe
Resource
win7-en-20211104
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
flowey.exe
Resource
win10-en-20211104
0 signatures
0 seconds
General
-
Target
flowey.exe
-
Size
587KB
-
MD5
7cd5b1d26ac2bbcc2d14c9ad93347292
-
SHA1
ca48b30414d66c6a3014037c9e4433eebc1880b7
-
SHA256
4970564c582532cd7a5a38f4016e772143c73c4b2f8928100d021a7d3c2e2bc0
-
SHA512
963705a5c3c29bc25561f2b92552dae3d185d0933319b8843031d421295fcad29c1b23e76b6d9fe5ad4d483228eabf48d71bf31fde1477c98db785c33b3a777d
Score
1/10
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{130AC28E-4085-11EC-B34F-F23AFFACC4A0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1148 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3568 flowey.exe 3568 flowey.exe 1148 iexplore.exe 1148 iexplore.exe 2392 IEXPLORE.EXE 2392 IEXPLORE.EXE 2392 IEXPLORE.EXE 2392 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2392 1148 iexplore.exe 75 PID 1148 wrote to memory of 2392 1148 iexplore.exe 75 PID 1148 wrote to memory of 2392 1148 iexplore.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\flowey.exe"C:\Users\Admin\AppData\Local\Temp\flowey.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:3568
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:508
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\MoveUpdate.xhtml1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1148 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2392
-