Analysis
-
max time kernel
203s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 07:23
Static task
static1
Behavioral task
behavioral1
Sample
79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe
Resource
win7-20220812-en
General
-
Target
79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe
-
Size
365KB
-
MD5
72aba6eddfc86c65fab65b9400636980
-
SHA1
b9561a92b90e9f6725e9d461a9bc817569048613
-
SHA256
79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660
-
SHA512
9f04a71aa317e64855f4fb04da4eb6a90dd1c7738c04f40794ab1c6a9c6b9ede9583edfbdd3e88c219e5f1e120d36dc49a6861eacb986f76cb8c615c972d568a
-
SSDEEP
6144:TgLxtJnhCM9GFgCiBoQXIEes8BN70i8DIHIhojbEOihmVl6i+YhBMsEYNr+:UoFgPBlXHeNNcDajHEORl6i+YsWZ+
Malware Config
Extracted
cybergate
2.6
new504
Firefox.ignorelist.com:82
drd78sv8edrj
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
dwm.exe
-
install_dir
Mozilla
-
install_file
Flash_Update.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Notice: Undefined index: template in /opt/lampp/htdocs/install/index.php on line 17 Notice: Undefined index: language in /opt/lampp/htdocs/install/index.php on line 21 Notice: Use of undefined constant _logout_true - assumed '_logout_true' in /opt/lampp/htdocs/inc/_lang/english.php on line 17 Notice: Use of undefined constant _login_true - assumed '_login_true' in /opt/lampp/htdocs/inc/_lang/english.php on line 18 Notice: Use of undefined constant _login_false_pwd - assumed '_login_false_pwd' in /opt/lampp/htdocs/inc/_lang/english.php on line 19 Notice: Use of undefined constant _login_false_name - assumed '_login_false_name' in /opt/lampp/htdocs/inc/_lang/english.php on line 20 Notice: Use of undefined constant _login_not_active_map - assumed '_login_not_active_map' in /opt/lampp/htdocs/inc/_lang/english.php on line 21 Notice: Use of undefined constant _save_area - assumed '_save_area' in /opt/lampp/htdocs/inc/_lang/english.php on line 23
-
message_box_title
ERROR
-
password
1234abc
-
regkey_hkcu
Flash_Update
-
regkey_hklm
Java_Update
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Flash = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Flash = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Executes dropped EXE 2 IoCs
pid Process 5060 Flash_Update.exe 4568 Flash_Update.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8}\StubPath = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8} 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C287P68-7BA7-H58U-I451-7G485M55P0Q8}\StubPath = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe Restart" 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
resource yara_rule behavioral2/memory/1488-139-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/1488-144-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/652-147-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/652-150-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1488-152-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1488-157-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/2144-160-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/2144-162-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/2144-171-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java_Update = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flash_Update = "C:\\Program Files (x86)\\Mozilla\\Flash_Update.exe" 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1220 set thread context of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 5060 set thread context of 4568 5060 Flash_Update.exe 86 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe File opened for modification C:\Program Files (x86)\Mozilla\ 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe Flash_Update.exe File created C:\Program Files (x86)\Mozilla\Flash_Update.exe 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe File opened for modification C:\Program Files (x86)\Mozilla\Flash_Update.exe 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3840 4568 WerFault.exe 86 -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe 5060 Flash_Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2144 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe Token: SeDebugPrivilege 2144 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 5060 Flash_Update.exe 5060 Flash_Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1220 wrote to memory of 1488 1220 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 81 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47 PID 1488 wrote to memory of 3092 1488 79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe 47
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe"C:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exeC:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe"C:\Users\Admin\AppData\Local\Temp\79dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660.exe"4⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Program Files (x86)\Mozilla\Flash_Update.exe"C:\Program Files (x86)\Mozilla\Flash_Update.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Program Files (x86)\Mozilla\Flash_Update.exe"C:\Program Files (x86)\Mozilla\Flash_Update.exe"6⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 5287⤵
- Program crash
PID:3840
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4568 -ip 45681⤵PID:3424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD572aba6eddfc86c65fab65b9400636980
SHA1b9561a92b90e9f6725e9d461a9bc817569048613
SHA25679dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660
SHA5129f04a71aa317e64855f4fb04da4eb6a90dd1c7738c04f40794ab1c6a9c6b9ede9583edfbdd3e88c219e5f1e120d36dc49a6861eacb986f76cb8c615c972d568a
-
Filesize
365KB
MD572aba6eddfc86c65fab65b9400636980
SHA1b9561a92b90e9f6725e9d461a9bc817569048613
SHA25679dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660
SHA5129f04a71aa317e64855f4fb04da4eb6a90dd1c7738c04f40794ab1c6a9c6b9ede9583edfbdd3e88c219e5f1e120d36dc49a6861eacb986f76cb8c615c972d568a
-
Filesize
365KB
MD572aba6eddfc86c65fab65b9400636980
SHA1b9561a92b90e9f6725e9d461a9bc817569048613
SHA25679dc0b66e72e7309dafebce94880023ba6d6ae752dd3260b8dd5a7a280177660
SHA5129f04a71aa317e64855f4fb04da4eb6a90dd1c7738c04f40794ab1c6a9c6b9ede9583edfbdd3e88c219e5f1e120d36dc49a6861eacb986f76cb8c615c972d568a
-
Filesize
230KB
MD555b3ff6fd41959b7bcbbebc003080c18
SHA1381b83bffe1ca7e5d3b29fd60dbd3c04e9cbbb9b
SHA256e3ee87cd8a25ffc7aee482f65263957b578b3c5cffa1a281a8a13a81287753ef
SHA5124c71628e1c715c7210de428738d6507fcec9d2058df3c42df38e02cdbe65f6eebf30e1f055141fc77927c60c89e72e80881dc27014182459beb89ce94e85bd1e