638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf

Analysis

max time kernel
48s
max time network
54s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
31/10/2022, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Size

1.3MB
MD5

e105adf7e5d682eb483e985e0261f756
SHA1

eb1db76b3713b3cc2f1a28c75a836c58e8c87fc8
SHA256

638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf
SHA512

301059740cac5d310cad149ba75b1055100e30e19c72d40e2f82154aa7cf89b0a01ccbf4d66392fa5e65da405cb45422e54bfa522a47a9ecc6f28c1a28dd352e
SSDEEP

24576:HRyL0QZuT44qlJl99oRGig/ocJN2O2zNFH4D7oQGOYfMlQ6NY:xyYQZuTIbl999iWoWu8DBGOYcQ6NY

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
996	Scenic- Newer Heights.scr

Loads dropped DLL 2 IoCs

pid	Process
1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
996	Scenic- Newer Heights.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\Flash\flash8.ocx	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\flash8.ocx	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Scenic- Newer Heights\Uninstall.ini	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
File created	C:\Program Files (x86)\Scenic- Newer Heights\Uninstall.exe	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Scenic- Newer Heights.scr	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Scenic- Newer Heights.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Scenic- Newer Heights.scr

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SCENIC~1.SCR"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SCENIC~1.SCR"	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx\\2"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\""	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ThreadingModel = "Apartment"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.8"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
996	Scenic- Newer Heights.scr
996	Scenic- Newer Heights.scr

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1376 wrote to memory of 1232	1376	638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe	26
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27
PID 1232 wrote to memory of 996	1232	rundll32.exe	27

C:\Users\Admin\AppData\Local\Temp\638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe
"C:\Users\Admin\AppData\Local\Temp\638143e4c5ddd34bddf2c480dddc391d4a64554fd299bbd5ed771301f4dc22bf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\Scenic- Newer Heights.scr
  2⤵
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\Scenic- Newer Heights.scr
    "C:\Windows\Scenic- Newer Heights.scr" /p 65910
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Scenic- Newer Heights.scr

Filesize
479KB

MD5
59ac3a3603f9e2227a0e8a4305d0293f

SHA1
a1c26bb7f43450c7202ef1ed6b459e5d95eb7998

SHA256
d1522bc74c121c2c1d09bfae81269c75b66e93b55119b9b60461d329c77f77e5

SHA512
86ccbb5db0b9d7ee39fbd9ef7300bff2de5b3a2f4a4b1ea122fd8fc4ae315775563744b98ebe9001a71fc76aaf2378ffcb2509d110651e50d9e2b8cf1a882f67

Download Submit
C:\Windows\Scenic- Newer Heights.scr

Filesize
479KB

MD5
59ac3a3603f9e2227a0e8a4305d0293f

SHA1
a1c26bb7f43450c7202ef1ed6b459e5d95eb7998

SHA256
d1522bc74c121c2c1d09bfae81269c75b66e93b55119b9b60461d329c77f77e5

SHA512
86ccbb5db0b9d7ee39fbd9ef7300bff2de5b3a2f4a4b1ea122fd8fc4ae315775563744b98ebe9001a71fc76aaf2378ffcb2509d110651e50d9e2b8cf1a882f67

Download Submit
C:\Windows\SysWow64\Macromed\Flash\flash8.ocx

Filesize
1.4MB

MD5
900373c059c2b51ca91bf110dbdecb33

SHA1
102b086d6054c2cea813ef316ce24440c458762b

SHA256
31453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61

SHA512
b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe

Download Submit
\Windows\SysWOW64\Macromed\Flash\flash8.ocx

Filesize
1.4MB

MD5
900373c059c2b51ca91bf110dbdecb33

SHA1
102b086d6054c2cea813ef316ce24440c458762b

SHA256
31453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61

SHA512
b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe

Download Submit
\Windows\SysWOW64\Macromed\Flash\flash8.ocx

Filesize
1.4MB

MD5
900373c059c2b51ca91bf110dbdecb33

SHA1
102b086d6054c2cea813ef316ce24440c458762b

SHA256
31453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61

SHA512
b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe

Download Submit
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download