ffdroider | 31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6

Analysis

max time kernel
188s
max time network
177s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
Size

5.1MB
MD5

c61ee25a2f0a481f0972301f17f95526
SHA1

7286b68dbf2489677589499589de03cb51cb484a
SHA256

31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6
SHA512

0c9d77413b2a1193c343e24cbae253df1f7767d67d76ab2f0f8c397b8a70d7618bee83435be6ed7a7100334702a23596237792d69f16ef24d98c1f542f23a49a

Score

10^/10

ffdroider discovery evasion spyware stealer suricata trojan

Malware Config

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1104-86-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-87-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-88-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-89-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-91-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-93-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-112-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/1104-113-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

Cube_WW9.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Cube_WW9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Cube_WW9.exe

suricata: ET MALWARE Win32/FFDroider CnC Activity
suricata: ET MALWARE Win32/FFDroider CnC Activity
suricata
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/files/0x00070000000139dd-65.dat	WebBrowserPassView
behavioral1/files/0x00070000000139dd-67.dat	WebBrowserPassView
behavioral1/files/0x000800000001411e-108.dat	WebBrowserPassView
behavioral1/memory/1680-110-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/files/0x000800000001411e-111.dat	WebBrowserPassView
behavioral1/files/0x00070000000139dd-117.dat	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000139dd-65.dat	Nirsoft
behavioral1/files/0x00070000000139dd-67.dat	Nirsoft
behavioral1/files/0x000800000001411e-108.dat	Nirsoft
behavioral1/memory/1680-110-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/files/0x000800000001411e-111.dat	Nirsoft
behavioral1/files/0x00070000000139dd-117.dat	Nirsoft

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

inst2.exetoolspab2.exertst1039.exejg1_1faf.exeCube_WW9.exetoolspab2.exe11111.exe2rOi9Rgacvsc5OK3dELhrc7f.exe

pid	Process
1308	inst2.exe
948	toolspab2.exe
2044	rtst1039.exe
1104	jg1_1faf.exe
1752	Cube_WW9.exe
1832	toolspab2.exe
1680	11111.exe
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cube_WW9.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	Cube_WW9.exe

Loads dropped DLL 7 IoCs

Processes:

31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exeCube_WW9.exe

pid	Process
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
1752	Cube_WW9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	ip-api.com
31	ipinfo.io
32	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

jg1_1faf.exe

pid	Process
1104	jg1_1faf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

toolspab2.exe

description	pid	Process	procid_target
PID 948 set thread context of 1832	948	toolspab2.exe	34

Drops file in Program Files directory 9 IoCs

Processes:

jg1_1faf.exe31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rtst1039.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst2.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\toolspab2.exe	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	jg1_1faf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab2.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Cube_WW9.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Cube_WW9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Cube_WW9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspab2.exe11111.exeCube_WW9.exe2rOi9Rgacvsc5OK3dELhrc7f.exe

pid	Process
1832	toolspab2.exe
1832	toolspab2.exe
1264
1264
1264
1680	11111.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1680	11111.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1752	Cube_WW9.exe
1752	Cube_WW9.exe
1752	Cube_WW9.exe
1752	Cube_WW9.exe
1752	Cube_WW9.exe
1264
1264
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264
1656	2rOi9Rgacvsc5OK3dELhrc7f.exe
1264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
1264

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspab2.exe

pid	Process
1832	toolspab2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jg1_1faf.exe

description	pid	Process
Token: SeManageVolumePrivilege	1104	jg1_1faf.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exetoolspab2.exertst1039.exeCube_WW9.exe

description	pid	Process	procid_target
PID 1464 wrote to memory of 1308	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	28
PID 1464 wrote to memory of 1308	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	28
PID 1464 wrote to memory of 1308	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	28
PID 1464 wrote to memory of 1308	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	28
PID 1464 wrote to memory of 948	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	29
PID 1464 wrote to memory of 948	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	29
PID 1464 wrote to memory of 948	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	29
PID 1464 wrote to memory of 948	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	29
PID 1464 wrote to memory of 2044	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	30
PID 1464 wrote to memory of 2044	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	30
PID 1464 wrote to memory of 2044	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	30
PID 1464 wrote to memory of 2044	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	30
PID 1464 wrote to memory of 1104	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	31
PID 1464 wrote to memory of 1104	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	31
PID 1464 wrote to memory of 1104	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	31
PID 1464 wrote to memory of 1104	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	31
PID 1464 wrote to memory of 1752	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	32
PID 1464 wrote to memory of 1752	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	32
PID 1464 wrote to memory of 1752	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	32
PID 1464 wrote to memory of 1752	1464	31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe	32
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 948 wrote to memory of 1832	948	toolspab2.exe	34
PID 2044 wrote to memory of 1680	2044	rtst1039.exe	37
PID 2044 wrote to memory of 1680	2044	rtst1039.exe	37
PID 2044 wrote to memory of 1680	2044	rtst1039.exe	37
PID 2044 wrote to memory of 1680	2044	rtst1039.exe	37
PID 1752 wrote to memory of 1656	1752	Cube_WW9.exe	40
PID 1752 wrote to memory of 1656	1752	Cube_WW9.exe	40
PID 1752 wrote to memory of 1656	1752	Cube_WW9.exe	40
PID 1752 wrote to memory of 1656	1752	Cube_WW9.exe	40

C:\Users\Admin\AppData\Local\Temp\31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe
"C:\Users\Admin\AppData\Local\Temp\31a6537d4cd25c21ac9a7189bdf6e6b7cc035e91a60745149eb0e0f2c0fd6be6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Company\NewProduct\inst2.exe
  "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
  "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
    "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1832
- C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
  "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\11111.exe
    C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1680
- C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
  "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe
  "C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\Pictures\Adobe Films\2rOi9Rgacvsc5OK3dELhrc7f.exe
    "C:\Users\Admin\Pictures\Adobe Films\2rOi9Rgacvsc5OK3dELhrc7f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

Filesize
137KB

MD5
e88a59876ea9ad978cadc4fe3105f23f

SHA1
aa3a48f01218b9d0e55c3629bb689b05d135d508

SHA256
764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

SHA512
9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

Download Submit
C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

Filesize
137KB

MD5
e88a59876ea9ad978cadc4fe3105f23f

SHA1
aa3a48f01218b9d0e55c3629bb689b05d135d508

SHA256
764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

SHA512
9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst2.exe

Filesize
223KB

MD5
c393469f48d78919ab7eb82e1b248b83

SHA1
ea5a5502cc847092fcf5497b2db4776fe6c55a16

SHA256
dbc95faa16f88904dc5448881efc5b1751b6fa1f23c75c0d298fb21ebc47045c

SHA512
588120afd75bdcec9bde05fa132f8fe80aef038edadfaa5004270eb79eb2fbd1c0fb20e1dd485bf2b13ad36eb84ad3731aec113e6d88cc1fa5881e34698115b7

Download Submit
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe

Filesize
2.0MB

MD5
fe18d0f0f56abf84f421f7961206d5d1

SHA1
6685e8c651d2b2342b7a6f717360cb05d5455fe7

SHA256
efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

SHA512
74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

Download Submit
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe

Filesize
2.0MB

MD5
fe18d0f0f56abf84f421f7961206d5d1

SHA1
6685e8c651d2b2342b7a6f717360cb05d5455fe7

SHA256
efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

SHA512
74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
365KB

MD5
bd79c716e7fdd1835449e349fb467941

SHA1
1b38b350976392505ca04ba746235ae3e5bcd772

SHA256
9e03127834496fedaa66ae833468cb4fedcdefd6e65e0c0e3801cecfd095017b

SHA512
4d07cbdc4ace02287baecec0a72b83276d7460b3220fbac223466c76bb466e1f383012858984340ac9ff5ae128ff2515f1d82daddd0d8fd30a3e74ae3fddf392

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
365KB

MD5
bd79c716e7fdd1835449e349fb467941

SHA1
1b38b350976392505ca04ba746235ae3e5bcd772

SHA256
9e03127834496fedaa66ae833468cb4fedcdefd6e65e0c0e3801cecfd095017b

SHA512
4d07cbdc4ace02287baecec0a72b83276d7460b3220fbac223466c76bb466e1f383012858984340ac9ff5ae128ff2515f1d82daddd0d8fd30a3e74ae3fddf392

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
365KB

MD5
bd79c716e7fdd1835449e349fb467941

SHA1
1b38b350976392505ca04ba746235ae3e5bcd772

SHA256
9e03127834496fedaa66ae833468cb4fedcdefd6e65e0c0e3801cecfd095017b

SHA512
4d07cbdc4ace02287baecec0a72b83276d7460b3220fbac223466c76bb466e1f383012858984340ac9ff5ae128ff2515f1d82daddd0d8fd30a3e74ae3fddf392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03bca134b5fec88e1bfdffd8c641f647

SHA1
79d4a8cb199181343fb4d9e1023669e2da4c0d22

SHA256
1d1c1f043f368fa6d9bb13755e455917a620428c98eb842e99a86df41c719cb5

SHA512
bc231467ed325be1d8e69e4694240a8ef1d0fda49c73534e3b8f9ffef57859fb5b895befc9c8754bb9ffe8218acee68bcb158d629516ef063af23ef948a8d23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
246B

MD5
46183ada973d3bfaab7be726c800e96e

SHA1
7fcb7272b04d8b1caaf1343ec720461ca79f45c2

SHA256
0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f

SHA512
338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2rOi9Rgacvsc5OK3dELhrc7f.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

Filesize
137KB

MD5
e88a59876ea9ad978cadc4fe3105f23f

SHA1
aa3a48f01218b9d0e55c3629bb689b05d135d508

SHA256
764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

SHA512
9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

Download Submit
\Program Files (x86)\Company\NewProduct\inst2.exe

Filesize
223KB

MD5
c393469f48d78919ab7eb82e1b248b83

SHA1
ea5a5502cc847092fcf5497b2db4776fe6c55a16

SHA256
dbc95faa16f88904dc5448881efc5b1751b6fa1f23c75c0d298fb21ebc47045c

SHA512
588120afd75bdcec9bde05fa132f8fe80aef038edadfaa5004270eb79eb2fbd1c0fb20e1dd485bf2b13ad36eb84ad3731aec113e6d88cc1fa5881e34698115b7

Download Submit
\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
\Program Files (x86)\Company\NewProduct\rtst1039.exe

Filesize
2.0MB

MD5
fe18d0f0f56abf84f421f7961206d5d1

SHA1
6685e8c651d2b2342b7a6f717360cb05d5455fe7

SHA256
efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

SHA512
74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
365KB

MD5
bd79c716e7fdd1835449e349fb467941

SHA1
1b38b350976392505ca04ba746235ae3e5bcd772

SHA256
9e03127834496fedaa66ae833468cb4fedcdefd6e65e0c0e3801cecfd095017b

SHA512
4d07cbdc4ace02287baecec0a72b83276d7460b3220fbac223466c76bb466e1f383012858984340ac9ff5ae128ff2515f1d82daddd0d8fd30a3e74ae3fddf392

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
365KB

MD5
bd79c716e7fdd1835449e349fb467941

SHA1
1b38b350976392505ca04ba746235ae3e5bcd772

SHA256
9e03127834496fedaa66ae833468cb4fedcdefd6e65e0c0e3801cecfd095017b

SHA512
4d07cbdc4ace02287baecec0a72b83276d7460b3220fbac223466c76bb466e1f383012858984340ac9ff5ae128ff2515f1d82daddd0d8fd30a3e74ae3fddf392

Download Submit
\Users\Admin\Pictures\Adobe Films\2rOi9Rgacvsc5OK3dELhrc7f.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
memory/948-76-0x0000000000288000-0x0000000000299000-memory.dmp

Filesize
68KB

Download
memory/948-63-0x0000000000000000-mapping.dmp

Download
memory/948-82-0x0000000000288000-0x0000000000299000-memory.dmp

Filesize
68KB

Download
memory/948-83-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1104-84-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-69-0x0000000000000000-mapping.dmp

Download
memory/1104-87-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-88-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-89-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-91-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-86-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-93-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-94-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/1104-100-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download
memory/1104-113-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1104-112-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1308-60-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1308-56-0x0000000000000000-mapping.dmp

Download
memory/1308-59-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1464-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1656-121-0x0000000000000000-mapping.dmp

Download
memory/1680-107-0x0000000000000000-mapping.dmp

Download
memory/1680-110-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1752-73-0x0000000000000000-mapping.dmp

Download
memory/1752-119-0x0000000003F20000-0x00000000040DE000-memory.dmp

Filesize
1.7MB

Download
memory/1752-123-0x0000000003F20000-0x00000000040DE000-memory.dmp

Filesize
1.7MB

Download
memory/1832-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1832-78-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1832-106-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1832-79-0x0000000000402F47-mapping.dmp

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download