ffdroider | 6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad

Analysis

max time kernel
150s
max time network
83s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/09/2022, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
Size

5.1MB
MD5

0727f10acffae1a2fbad5bdee8606d77
SHA1

25a2190e389051017b0b512c0caa0e56d185d80a
SHA256

6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
SHA512

f5fdd04b5dd1882b99dcff66e21ee2eb6efe5032f25130f3ca67fc089c841fbdd48e495fdf370e0460833e6f8848c48069174298181db45e8857bdb4c5bed781
SSDEEP

98304:pAI+7WP8CGcEUNHnorSJwvvGBrHBHA8Fn6KhPpXjX2oPIn23U4jKuK5rQjKg0OFB:itM8C9EUN96viBHFn6Uhr/I23UEKuK58

Score

10^/10

ffdroider privateloader smokeloader backdoor discovery loader spyware stealer trojan

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Signatures

Detects Smokeloader packer 5 IoCs

resource	yara_rule
behavioral1/memory/1692-80-0x0000000000402F47-mapping.dmp	family_smokeloader
behavioral1/memory/2024-85-0x0000000000020000-0x0000000000029000-memory.dmp	family_smokeloader
behavioral1/memory/1692-79-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1692-89-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1692-106-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 8 IoCs

resource	yara_rule
behavioral1/memory/828-84-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-86-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-87-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-88-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-91-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-93-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-113-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider
behavioral1/memory/828-114-0x0000000000400000-0x0000000000AF0000-memory.dmp	family_ffdroider

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/files/0x00070000000134d5-59.dat	WebBrowserPassView
behavioral1/files/0x00070000000134d5-63.dat	WebBrowserPassView
behavioral1/files/0x000c000000013a0e-108.dat	WebBrowserPassView
behavioral1/memory/1120-110-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView
behavioral1/files/0x000c000000013a0e-111.dat	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/files/0x00070000000134d5-59.dat	Nirsoft
behavioral1/files/0x00070000000134d5-63.dat	Nirsoft
behavioral1/files/0x000c000000013a0e-108.dat	Nirsoft
behavioral1/memory/1120-110-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft
behavioral1/files/0x000c000000013a0e-111.dat	Nirsoft

Executes dropped EXE 7 IoCs

pid	Process
1932	inst2.exe
948	rtst1039.exe
828	jg1_1faf.exe
2024	toolspab2.exe
2028	Cube_WW9.exe
1692	toolspab2.exe
1120	11111.exe

Loads dropped DLL 6 IoCs

pid	Process
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
828	jg1_1faf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1692	2024	toolspab2.exe	34

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rtst1039.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\toolspab2.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst2.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	jg1_1faf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab2.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	jg1_1faf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jg1_1faf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jg1_1faf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	jg1_1faf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	toolspab2.exe
1692	toolspab2.exe
1376	Process not Found
1376	Process not Found
1120	11111.exe
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1120	11111.exe
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found
1376	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1692	toolspab2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	828	jg1_1faf.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1376	Process not Found

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1932	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	28
PID 1660 wrote to memory of 1932	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	28
PID 1660 wrote to memory of 1932	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	28
PID 1660 wrote to memory of 1932	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	28
PID 1660 wrote to memory of 948	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	29
PID 1660 wrote to memory of 948	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	29
PID 1660 wrote to memory of 948	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	29
PID 1660 wrote to memory of 948	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	29
PID 1660 wrote to memory of 828	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	30
PID 1660 wrote to memory of 828	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	30
PID 1660 wrote to memory of 828	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	30
PID 1660 wrote to memory of 828	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	30
PID 1660 wrote to memory of 2024	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	31
PID 1660 wrote to memory of 2024	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	31
PID 1660 wrote to memory of 2024	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	31
PID 1660 wrote to memory of 2024	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	31
PID 1660 wrote to memory of 2028	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	32
PID 1660 wrote to memory of 2028	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	32
PID 1660 wrote to memory of 2028	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	32
PID 1660 wrote to memory of 2028	1660	6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe	32
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 2024 wrote to memory of 1692	2024	toolspab2.exe	34
PID 948 wrote to memory of 1120	948	rtst1039.exe	37
PID 948 wrote to memory of 1120	948	rtst1039.exe	37
PID 948 wrote to memory of 1120	948	rtst1039.exe	37
PID 948 wrote to memory of 1120	948	rtst1039.exe	37

C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
"C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Company\NewProduct\inst2.exe
  "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
  "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\11111.exe
    C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1120
- C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
  "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
  "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
    "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1692
- C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe
  "C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe"
  2⤵
  - Executes dropped EXE
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

Filesize
137KB

MD5
e88a59876ea9ad978cadc4fe3105f23f

SHA1
aa3a48f01218b9d0e55c3629bb689b05d135d508

SHA256
764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

SHA512
9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

Download Submit
C:\Program Files (x86)\Company\NewProduct\inst2.exe

Filesize
201KB

MD5
0aa9f08b7bc4d4bb3ce7d578f7b6005b

SHA1
c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5

SHA256
a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb

SHA512
7f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc

Download Submit
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe

Filesize
2.0MB

MD5
fe18d0f0f56abf84f421f7961206d5d1

SHA1
6685e8c651d2b2342b7a6f717360cb05d5455fe7

SHA256
efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

SHA512
74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
300KB

MD5
8c23cc666860658e657dc4652a48ff91

SHA1
deebc6a7e00db0b79c52f1d922efa05dbca3333e

SHA256
a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

SHA512
0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
300KB

MD5
8c23cc666860658e657dc4652a48ff91

SHA1
deebc6a7e00db0b79c52f1d922efa05dbca3333e

SHA256
a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

SHA512
0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

Download Submit
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
300KB

MD5
8c23cc666860658e657dc4652a48ff91

SHA1
deebc6a7e00db0b79c52f1d922efa05dbca3333e

SHA256
a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

SHA512
0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
246B

MD5
46183ada973d3bfaab7be726c800e96e

SHA1
7fcb7272b04d8b1caaf1343ec720461ca79f45c2

SHA256
0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f

SHA512
338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Download Submit
\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

Filesize
137KB

MD5
e88a59876ea9ad978cadc4fe3105f23f

SHA1
aa3a48f01218b9d0e55c3629bb689b05d135d508

SHA256
764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

SHA512
9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

Download Submit
\Program Files (x86)\Company\NewProduct\inst2.exe

Filesize
201KB

MD5
0aa9f08b7bc4d4bb3ce7d578f7b6005b

SHA1
c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5

SHA256
a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb

SHA512
7f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc

Download Submit
\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

Filesize
4.1MB

MD5
03c055e021d1f56cfe74badffe93e7bc

SHA1
84493871e54d877a4aedf64f56c41ce3be8305c5

SHA256
8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

SHA512
5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

Download Submit
\Program Files (x86)\Company\NewProduct\rtst1039.exe

Filesize
2.0MB

MD5
fe18d0f0f56abf84f421f7961206d5d1

SHA1
6685e8c651d2b2342b7a6f717360cb05d5455fe7

SHA256
efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

SHA512
74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
300KB

MD5
8c23cc666860658e657dc4652a48ff91

SHA1
deebc6a7e00db0b79c52f1d922efa05dbca3333e

SHA256
a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

SHA512
0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

Download Submit
\Program Files (x86)\Company\NewProduct\toolspab2.exe

Filesize
300KB

MD5
8c23cc666860658e657dc4652a48ff91

SHA1
deebc6a7e00db0b79c52f1d922efa05dbca3333e

SHA256
a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

SHA512
0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

Download Submit
memory/828-86-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-100-0x0000000003C00000-0x0000000003C10000-memory.dmp

Filesize
64KB

Download
memory/828-75-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-114-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-113-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-94-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

Filesize
64KB

Download
memory/828-93-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-84-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-91-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-88-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/828-87-0x0000000000400000-0x0000000000AF0000-memory.dmp

Filesize
6.9MB

Download
memory/1120-110-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1692-106-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1692-89-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1692-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1932-62-0x0000000000260000-0x0000000000273000-memory.dmp

Filesize
76KB

Download
memory/1932-61-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2024-85-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2024-82-0x0000000000308000-0x0000000000319000-memory.dmp

Filesize
68KB

Download
memory/2024-77-0x0000000000308000-0x0000000000319000-memory.dmp

Filesize
68KB

Download