Malware Analysis Report

2024-10-23 21:19

Sample ID 220625-jh1xmsbehn
Target fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55
SHA256 fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55
Tags
hawkeye_reborn persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55

Threat Level: Known bad

The file fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn persistence

Hawkeye_reborn family

Sets file execution options in registry

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 07:40

Signatures

Hawkeye_reborn family

hawkeye_reborn

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 07:40

Reported

2022-06-25 09:09

Platform

win7-20220414-en

Max time kernel

23s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe

"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp

memory/1348-55-0x0000000074AE0000-0x000000007508B000-memory.dmp

memory/1348-56-0x0000000074AE0000-0x000000007508B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 07:40

Reported

2022-06-25 09:09

Platform

win10v2004-20220414-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe

"C:\Users\Admin\AppData\Local\Temp\fa545f4e3b45c4aea772ae41ce7768b7d55faa9ee5c031a8d6929945424a7e55.exe"

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/4876-130-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4876-131-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4876-132-0x0000000074C10000-0x00000000751C1000-memory.dmp