fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55

Analysis

max time kernel
23s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Size

553KB
MD5

650282182c6142218de797d45f260cce
SHA1

a136b07101e77288306b62f2bbd91b4bba356213
SHA256

fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55
SHA512

c0739973f0e2cf6f2528c9915215bac63f0697f75702221740178c7f89f8db0c541440f3959d105901cf15bed92a2f0a6d7524e8a3d55ccfa77fcfbef5e50074

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe"	fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe
"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"
1⤵
- Sets file execution options in registry
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1348-55-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-56-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download