18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8

Analysis

max time kernel
87s
max time network
94s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
Size

20.0MB
MD5

4ca7cafe6d2de606474a142b504f264c
SHA1

4e650e70a609f09b797c905db21d6c3b13031884
SHA256

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8
SHA512

a0140c14db24db61cccdf7f8751223f53caf097e5b696f89d1cf7fbab957692c08c6c883f8646e7677beafc02cb50d264deee5b4c60007b8500e1ff71f3af4a9
SSDEEP

393216:AEhtnC7xIqhwV/zhly0NKt3YMJ+s4yPcwdzbfrxOG9AiCOIfxu9aDw:NFCjwVMZ4RwJTxBKRf89

Score

9^/10

cryptone discovery evasion packer persistence trojan

Malware Config

Signatures

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Windows\SysWOW64\Macromed\Flash\Flash32_25_0_0_171.ocx	cryptone

Executes dropped EXE 3 IoCs

Processes:

ActiveX.exeInstallFlashPlayer.exeFlashPlayerUpdateService.exe

pid process

1648 ActiveX.exe
1324 InstallFlashPlayer.exe
1636 FlashPlayerUpdateService.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

InstallFlashPlayer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_25_0_0_171.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_25_0_0_171_ActiveX.exe"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_25_0_0_171.ocx"	InstallFlashPlayer.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ActiveX.exeInstallFlashPlayer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe\DisableExceptionChainValidation = "0"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_25_0_0_171_ActiveX.exe	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil64_25_0_0_171_ActiveX.exe\DisableExceptionChainValidation = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_25_0_0_171_ActiveX.exe	ActiveX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_25_0_0_171_ActiveX.exe\DisableExceptionChainValidation = "0"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe	ActiveX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe\DisableExceptionChainValidation = "0"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe	ActiveX.exe

Loads dropped DLL 12 IoCs

Processes:

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exeActiveX.exeInstallFlashPlayer.exe

pid	process
912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
1648	ActiveX.exe
1648	ActiveX.exe
1648	ActiveX.exe
1648	ActiveX.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1648	ActiveX.exe
1648	ActiveX.exe
1648	ActiveX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ActiveX.exeInstallFlashPlayer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ActiveX.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallFlashPlayer.exe

Drops file in System32 directory 23 IoCs

Processes:

InstallFlashPlayer.exe18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exeActiveX.exe

description	ioc	process
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_25_0_0_171_ActiveX.dll	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\activex.vch	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{A8A3776A-F252-4344-986B-6F96765E43B3}\fpb.tmp	ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{75BA8ED4-3141-4BAE-B25F-1660FD5AD878}\InstallFlashPlayer.exe	ActiveX.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashUtil64_25_0_0_171_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\Flash64_25_0_0_171.ocx	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash32_25_0_0_171.ocx	ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\activex.vch	ActiveX.exe
File created	C:\Windows\system32\Macromed\Temp\{5F303982-25A1-45CA-BD0C-5C47A523439B}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_ActiveX.exe	ActiveX.exe
File created	C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl	ActiveX.exe
File created	C:\Windows\SysWOW64\FlashPlayerApp.exe	ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_ActiveX.exe	ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash32_25_0_0_171.ocx	ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe	ActiveX.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashInstall.log	ActiveX.exe
File created	C:\Windows\SysWOW64\Macromed\Temp\{29ACF9F3-3995-4E9D-A001-1F7263ABED05}\fpb.tmp	ActiveX.exe
File created	C:\Windows\system32\Macromed\Temp\{1742E0D6-5F75-4067-82FD-85F411CAD932}\fpb.tmp	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\Flash64_25_0_0_171.ocx	InstallFlashPlayer.exe
File created	C:\Windows\system32\Macromed\Flash\FlashUtil64_25_0_0_171_ActiveX.exe	InstallFlashPlayer.exe
File opened for modification	C:\Windows\system32\Macromed\Flash\FlashInstall.log	InstallFlashPlayer.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_ActiveX.dll	ActiveX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

InstallFlashPlayer.exeActiveX.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	ActiveX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	ActiveX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil64_25_0_0_171_ActiveX.exe"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWOW64\\Macromed\\Flash"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil32_25_0_0_171_ActiveX.exe"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe

Modifies registry class 64 IoCs

Processes:

InstallFlashPlayer.exeActiveX.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.15\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_25_0_0_171.ocx"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\system32\\Macromed\\Flash"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	ActiveX.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib\Version = "1.0"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32\ = "C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_25_0_0_171_ActiveX.exe"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ = "IFlashBroker6"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.24\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	ActiveX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.19	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.11\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.20\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\system32\\Macromed\\Flash\\Flash64_25_0_0_171.ocx"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	ActiveX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.25\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	InstallFlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	InstallFlashPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	InstallFlashPlayer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ActiveX.exeInstallFlashPlayer.exe

pid	process
1648	ActiveX.exe
1648	ActiveX.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1324	InstallFlashPlayer.exe
1648	ActiveX.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ActiveX.exeInstallFlashPlayer.exe

pid process

1648 ActiveX.exe
1324 InstallFlashPlayer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exeActiveX.exe

description	pid	process	target process
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 912 wrote to memory of 1648	912	18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe	ActiveX.exe
PID 1648 wrote to memory of 1324	1648	ActiveX.exe	InstallFlashPlayer.exe
PID 1648 wrote to memory of 1324	1648	ActiveX.exe	InstallFlashPlayer.exe
PID 1648 wrote to memory of 1324	1648	ActiveX.exe	InstallFlashPlayer.exe
PID 1648 wrote to memory of 1324	1648	ActiveX.exe	InstallFlashPlayer.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe
PID 1648 wrote to memory of 1636	1648	ActiveX.exe	FlashPlayerUpdateService.exe

C:\Users\Admin\AppData\Local\Temp\18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe
"C:\Users\Admin\AppData\Local\Temp\18d4b8d6dacb8f5a881d6923180172521c740d4b0b0d045ff836fa643fa418d8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\ActiveX.exe
C:\Users\Admin\AppData\Local\Temp\ActiveX.exe /install
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\Macromed\Temp\{75BA8ED4-3141-4BAE-B25F-1660FD5AD878}\InstallFlashPlayer.exe
"C:\Windows\system32\Macromed\Temp\{75BA8ED4-3141-4BAE-B25F-1660FD5AD878}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 4294967295
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Sets file execution options in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install
3⤵
- Executes dropped EXE
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ActiveX.exe
Filesize
18.9MB

MD5
b18195bd28aa97546527fe349c9a1cac

SHA1
a74417d43224fa90c936cdbfd06143dddecb1287

SHA256
5d7e8f16effb5c41a4f0440e51b24e0631592ac89254b1355e4ed82a2f978656

SHA512
c5b5d3609f3ebf9d1940810a71e67349e0e76ac8ca0db4bc4d0a43bfbbf64f700211ca8ee7d32cb3db0fd5abcfaf7707c35359f0b2dea45e7e710f278ab74db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ActiveX.exe
Filesize
18.9MB

MD5
b18195bd28aa97546527fe349c9a1cac

SHA1
a74417d43224fa90c936cdbfd06143dddecb1287

SHA256
5d7e8f16effb5c41a4f0440e51b24e0631592ac89254b1355e4ed82a2f978656

SHA512
c5b5d3609f3ebf9d1940810a71e67349e0e76ac8ca0db4bc4d0a43bfbbf64f700211ca8ee7d32cb3db0fd5abcfaf7707c35359f0b2dea45e7e710f278ab74db2

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Filesize
265KB

MD5
e6a1d864ec90f4397df5ab2633b34dd4

SHA1
5622e074544e4efc3f2565be2038a6569fcdf791

SHA256
05f1b7291ebdd9ca1d74649c0dafcbe5f2cf93e92c5ca16a8ac10b6df83101a0

SHA512
46c4ebb7bdb316df21cc96941f40107c7574ba3247b50effac2ed72306c19f916a19f2bd0dbecb9ded80151523b5a0429c53819fbf6902ca98dbebdec88d47b9

Download Submit
C:\Windows\SysWOW64\Macromed\Temp\{75BA8ED4-3141-4BAE-B25F-1660FD5AD878}\InstallFlashPlayer.exe
Filesize
9.8MB

MD5
d9051f97227582e39c9ffbcdd533fc7a

SHA1
92faa2ace50831556703167ed0fbb8ba54d3805c

SHA256
912de448272fd77fb75de02498baf13789bf737ccbdc2b61b0ec1bbf67773ac2

SHA512
2a68bfcbf9eff6f4ddaf5b6f69c64d715b838c0576e15942ccb5d02011dc5ea39bf39d8c9b09a14a9e6e563e15f772c21319db1beaa2cd81d83cd50696836b96

Download Submit
\Users\Admin\AppData\Local\Temp\ActiveX.exe
Filesize
18.9MB

MD5
b18195bd28aa97546527fe349c9a1cac

SHA1
a74417d43224fa90c936cdbfd06143dddecb1287

SHA256
5d7e8f16effb5c41a4f0440e51b24e0631592ac89254b1355e4ed82a2f978656

SHA512
c5b5d3609f3ebf9d1940810a71e67349e0e76ac8ca0db4bc4d0a43bfbbf64f700211ca8ee7d32cb3db0fd5abcfaf7707c35359f0b2dea45e7e710f278ab74db2

Download Submit
\Users\Admin\AppData\Local\Temp\ActiveX.exe
Filesize
18.9MB

MD5
b18195bd28aa97546527fe349c9a1cac

SHA1
a74417d43224fa90c936cdbfd06143dddecb1287

SHA256
5d7e8f16effb5c41a4f0440e51b24e0631592ac89254b1355e4ed82a2f978656

SHA512
c5b5d3609f3ebf9d1940810a71e67349e0e76ac8ca0db4bc4d0a43bfbbf64f700211ca8ee7d32cb3db0fd5abcfaf7707c35359f0b2dea45e7e710f278ab74db2

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash32_25_0_0_171.ocx
Filesize
18.8MB

MD5
daa2df6613a858d605dffdb2d245643a

SHA1
b195d9d4e25ed3262f104abc90a5be3f9d9368ee

SHA256
1fecff577d2ffb9a51a9dbeaf6d3f1c2e93e5f3d3b302b7a015174ddd07e7a58

SHA512
5ee7ead1b26c24228bed57c92bfd61a635c7466c16cd3973be420bc6be69937150372acef753e7142671834022c78c845b046b19a9bc4db690e64b1a54213240

Download Submit
\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Filesize
265KB

MD5
e6a1d864ec90f4397df5ab2633b34dd4

SHA1
5622e074544e4efc3f2565be2038a6569fcdf791

SHA256
05f1b7291ebdd9ca1d74649c0dafcbe5f2cf93e92c5ca16a8ac10b6df83101a0

SHA512
46c4ebb7bdb316df21cc96941f40107c7574ba3247b50effac2ed72306c19f916a19f2bd0dbecb9ded80151523b5a0429c53819fbf6902ca98dbebdec88d47b9

Download Submit
\Windows\SysWOW64\Macromed\Flash\FlashUtil32_25_0_0_171_ActiveX.exe
Filesize
1.2MB

MD5
50dff23ab101f360ae16b0c86e7bbc33

SHA1
2eb61415a46674e80450527c8545a7056c8d04ae

SHA256
44aa4cbe688edc61257300859cd916bdcfeea2e779ac0957733841a0da72fc45

SHA512
6329dcf553736e93b5f69b8cd9a83a08549f3c379d0c1b3e5fe969cbcd86f6f24e7ec1fd089eb5b93aa1a566d58c6f7e4dabccdf21a467c08944ca168ad83bbc

Download Submit
\Windows\SysWOW64\Macromed\Temp\{29ACF9F3-3995-4E9D-A001-1F7263ABED05}\fpb.tmp
Filesize
531KB

MD5
abfd3e589088090cef4d24cc96f08adf

SHA1
f0cff2c63f0b13586d6ffa041b0741fcc3afb559

SHA256
aa331235698a8f03b600fd4e5dac959a854888c3d9b7fc949d450680eb287045

SHA512
30ae9627f69df64c4676d3b1b91d32939d75fbeec31a0ed65180eb0dfc8a389221a6a059f5050316a21c2b95ddd85fb8f07239549d8309bc61aa04cbf4ae0ed3

Download Submit
\Windows\SysWOW64\Macromed\Temp\{75BA8ED4-3141-4BAE-B25F-1660FD5AD878}\InstallFlashPlayer.exe
Filesize
9.8MB

MD5
d9051f97227582e39c9ffbcdd533fc7a

SHA1
92faa2ace50831556703167ed0fbb8ba54d3805c

SHA256
912de448272fd77fb75de02498baf13789bf737ccbdc2b61b0ec1bbf67773ac2

SHA512
2a68bfcbf9eff6f4ddaf5b6f69c64d715b838c0576e15942ccb5d02011dc5ea39bf39d8c9b09a14a9e6e563e15f772c21319db1beaa2cd81d83cd50696836b96

Download Submit
\Windows\SysWOW64\Macromed\Temp\{A8A3776A-F252-4344-986B-6F96765E43B3}\fpb.tmp
Filesize
1.2MB

MD5
50dff23ab101f360ae16b0c86e7bbc33

SHA1
2eb61415a46674e80450527c8545a7056c8d04ae

SHA256
44aa4cbe688edc61257300859cd916bdcfeea2e779ac0957733841a0da72fc45

SHA512
6329dcf553736e93b5f69b8cd9a83a08549f3c379d0c1b3e5fe969cbcd86f6f24e7ec1fd089eb5b93aa1a566d58c6f7e4dabccdf21a467c08944ca168ad83bbc

Download Submit
\Windows\System32\Macromed\Flash\Flash64_25_0_0_171.ocx
Filesize
26.3MB

MD5
326f6ab46390b2ccc615b57696760f9d

SHA1
5a362941f1408ada4e38d8e2f9d90a7e6aee57a5

SHA256
29dcd9a4835a172afbfab5f474cc1153d077583048ad99ab262f5ea77eef915a

SHA512
49fe516a77c1a0658796f06e116cedf3b28b82a6550d092f8e8313ccc72c607774f5083934e01506630507b8e67851771886790884fe01b5d99610b5c6c65cb9

Download Submit
\Windows\System32\Macromed\Flash\FlashUtil64_25_0_0_171_ActiveX.exe
Filesize
935KB

MD5
ce747a9a5da3e47ffcd16b547a3b3a22

SHA1
8df642913fd332fb4b9474e782938c3f312ea88a

SHA256
bfc57509315e566c5b23d2177fa71da5e0554f753bccca7f71521d1d465f182b

SHA512
0a091eb3148ff7769ee6a1d3a62270f89370c39b8e4cdbcbd0729ecb312d6adba8d6238a5497f92f300a140626b0f62ae477dd8d61b209416c1ceac0e32fcd86

Download Submit
\Windows\System32\Macromed\Temp\{1742E0D6-5F75-4067-82FD-85F411CAD932}\fpb.tmp
Filesize
935KB

MD5
ce747a9a5da3e47ffcd16b547a3b3a22

SHA1
8df642913fd332fb4b9474e782938c3f312ea88a

SHA256
bfc57509315e566c5b23d2177fa71da5e0554f753bccca7f71521d1d465f182b

SHA512
0a091eb3148ff7769ee6a1d3a62270f89370c39b8e4cdbcbd0729ecb312d6adba8d6238a5497f92f300a140626b0f62ae477dd8d61b209416c1ceac0e32fcd86

Download Submit
\Windows\System32\Macromed\Temp\{5F303982-25A1-45CA-BD0C-5C47A523439B}\fpb.tmp
Filesize
605KB

MD5
1d8574ad5a1042b296b363e94a0925d0

SHA1
f419099a043157bd549b6593f71e5657db3fb438

SHA256
b2ecd509d9c3a60af15043cee2bb95b7e883b2cca72c6efa33c1280bf98d206a

SHA512
faa5b800f55dc7877380b4d94201ea8b22b1d60f90303d0a3ad8725135df4bbab0007d5c51934b5da53e45c7a9c7eaa6e47f346f215d3a9d266a39670c28dcb9

Download Submit
memory/912-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1324-68-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/1324-64-0x0000000000000000-mapping.dmp

Download
memory/1636-74-0x0000000000000000-mapping.dmp

Download
memory/1648-56-0x0000000000000000-mapping.dmp

Download