3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d

Analysis

max time kernel
151s
max time network
186s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
Size

960KB
MD5

b327d3bdcea573133bfb57525b376d89
SHA1

995708aad2b70047a3bbce5d8715a6bb2d93ea10
SHA256

3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d
SHA512

764547d5081a20889c4cb06abc59511f03aeda8871308cb3624a92230934c563de6439cff381f8398763b7a60f9110e88fb752d086c0faa6bc5a4c57fe1662a7
SSDEEP

24576:mthEVaPqLNHfB/G0gRDmAXEcRPNZtjQXS1HxZpYNhtqJKaJK:uEVUcNHfB/x3AXESdHb4hIHw

Score

8^/10

evasion upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1368	Facebook-Video-Calling_Allmyapps.exe
560	Facebook-Video-Calling_Allmyapps.exe
292	facebook video call.exe
1264	facebook.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
944	netsh.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-55-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/1368-63-0x0000000001D20000-0x0000000001E51000-memory.dmp	upx
behavioral1/memory/1368-66-0x0000000001D20000-0x0000000001E51000-memory.dmp	upx
behavioral1/memory/1368-67-0x0000000001D20000-0x0000000001E51000-memory.dmp	upx
behavioral1/memory/1368-69-0x0000000001D20000-0x0000000001E51000-memory.dmp	upx
behavioral1/memory/1852-70-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/560-75-0x0000000000590000-0x00000000006C1000-memory.dmp	upx
behavioral1/memory/560-79-0x0000000000590000-0x00000000006C1000-memory.dmp	upx
behavioral1/memory/560-78-0x0000000000590000-0x00000000006C1000-memory.dmp	upx
behavioral1/memory/560-80-0x0000000000590000-0x00000000006C1000-memory.dmp	upx
behavioral1/memory/1852-85-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\facebook video call.exe	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe

Loads dropped DLL 8 IoCs

pid	Process
1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
1368	Facebook-Video-Calling_Allmyapps.exe
1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
292	facebook video call.exe
292	facebook video call.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1852-70-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral1/memory/1852-85-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is7156452.log	Facebook-Video-Calling_Allmyapps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Facebook-Video-Calling_Allmyapps.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Facebook-Video-Calling_Allmyapps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Facebook-Video-Calling_Allmyapps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Facebook-Video-Calling_Allmyapps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Facebook-Video-Calling_Allmyapps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Facebook-Video-Calling_Allmyapps.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Facebook-Video-Calling_Allmyapps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Facebook-Video-Calling_Allmyapps.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1368	Facebook-Video-Calling_Allmyapps.exe
1368	Facebook-Video-Calling_Allmyapps.exe
1264	facebook.exe
1264	facebook.exe
1264	facebook.exe
1264	facebook.exe
1264	facebook.exe
1264	facebook.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	Facebook-Video-Calling_Allmyapps.exe
Token: SeDebugPrivilege	1264	facebook.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1368	Facebook-Video-Calling_Allmyapps.exe
1368	Facebook-Video-Calling_Allmyapps.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1368	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	28
PID 1852 wrote to memory of 1368	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	28
PID 1852 wrote to memory of 1368	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	28
PID 1852 wrote to memory of 1368	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	28
PID 1368 wrote to memory of 560	1368	Facebook-Video-Calling_Allmyapps.exe	29
PID 1368 wrote to memory of 560	1368	Facebook-Video-Calling_Allmyapps.exe	29
PID 1368 wrote to memory of 560	1368	Facebook-Video-Calling_Allmyapps.exe	29
PID 1368 wrote to memory of 560	1368	Facebook-Video-Calling_Allmyapps.exe	29
PID 1852 wrote to memory of 292	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	31
PID 1852 wrote to memory of 292	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	31
PID 1852 wrote to memory of 292	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	31
PID 1852 wrote to memory of 292	1852	3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe	31
PID 1368 wrote to memory of 1964	1368	Facebook-Video-Calling_Allmyapps.exe	32
PID 1368 wrote to memory of 1964	1368	Facebook-Video-Calling_Allmyapps.exe	32
PID 1368 wrote to memory of 1964	1368	Facebook-Video-Calling_Allmyapps.exe	32
PID 1368 wrote to memory of 1964	1368	Facebook-Video-Calling_Allmyapps.exe	32
PID 292 wrote to memory of 1264	292	facebook video call.exe	37
PID 292 wrote to memory of 1264	292	facebook video call.exe	37
PID 292 wrote to memory of 1264	292	facebook video call.exe	37
PID 292 wrote to memory of 1264	292	facebook video call.exe	37
PID 1264 wrote to memory of 944	1264	facebook.exe	39
PID 1264 wrote to memory of 944	1264	facebook.exe	39
PID 1264 wrote to memory of 944	1264	facebook.exe	39
PID 1264 wrote to memory of 944	1264	facebook.exe	39

C:\Users\Admin\AppData\Local\Temp\3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe
"C:\Users\Admin\AppData\Local\Temp\3b7c6af43db0fde3efd39385f5fbdce9a04d436ace691d9fd3d2bbf9d49ac25d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe
  "C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe
    "C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe" /_ShowProgress
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn "AllmyappsUpdateTask" /f
    3⤵
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\facebook video call.exe
  "C:\Users\Admin\AppData\Local\Temp/facebook video call.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Users\Admin\AppData\Roaming\facebook.exe
    "C:\Users\Admin\AppData\Roaming\facebook.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\facebook.exe" "facebook.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
C:\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
\Users\Admin\AppData\Local\Temp\Facebook-Video-Calling_Allmyapps.exe

Filesize
584KB

MD5
b6bd0c27750e5d55a68a51cf2b5f21d6

SHA1
b2713f489c3d3e277797781e9bc0b9ae89019dd7

SHA256
c5130704479e0762940c58e01f8e8eaa61fc4349219b327daf17f5b5d8d8407a

SHA512
57dbd4b424ba1769ea5c3de6b98d5e755ba1fa71b126b72f0151f4636e977c4e9a48c5754ad5930bc244c51f1b25f50cef62367f41c90a017e724d8824b97be2

Download Submit
\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
\Users\Admin\AppData\Local\Temp\facebook video call.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
\Users\Admin\AppData\Roaming\facebook.exe

Filesize
231KB

MD5
5026b28351d166b8132773840697d02e

SHA1
b0c6e116ec3e28cd15eb513792c5db4a891cc602

SHA256
287bf077dc11f6407fdf774bebf79f3ad1b6e9fdbc573309bf2a5299fb152141

SHA512
0e858cc92d5082b74897a0564163166d96b76cfc56b2d87c6a3609cb20fa305eaa787632477725e7134e6bc10ebab5294cf64835ab8ea565c2ec9d273d830f3b

Download Submit
memory/292-88-0x0000000071710000-0x0000000071CBB000-memory.dmp

Filesize
5.7MB

Download
memory/292-91-0x0000000071710000-0x0000000071CBB000-memory.dmp

Filesize
5.7MB

Download
memory/292-98-0x0000000071710000-0x0000000071CBB000-memory.dmp

Filesize
5.7MB

Download
memory/560-79-0x0000000000590000-0x00000000006C1000-memory.dmp

Filesize
1.2MB

Download
memory/560-80-0x0000000000590000-0x00000000006C1000-memory.dmp

Filesize
1.2MB

Download
memory/560-78-0x0000000000590000-0x00000000006C1000-memory.dmp

Filesize
1.2MB

Download
memory/560-75-0x0000000000590000-0x00000000006C1000-memory.dmp

Filesize
1.2MB

Download
memory/1264-101-0x0000000071710000-0x0000000071CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-99-0x0000000071710000-0x0000000071CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-69-0x0000000001D20000-0x0000000001E51000-memory.dmp

Filesize
1.2MB

Download
memory/1368-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1368-67-0x0000000001D20000-0x0000000001E51000-memory.dmp

Filesize
1.2MB

Download
memory/1368-66-0x0000000001D20000-0x0000000001E51000-memory.dmp

Filesize
1.2MB

Download
memory/1368-63-0x0000000001D20000-0x0000000001E51000-memory.dmp

Filesize
1.2MB

Download
memory/1852-85-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1852-55-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1852-70-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download