hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbS10UDBacDJaZDVpczl2UU9FRFhuaUhWbXpLZ3xBQ3Jtc0tudUtyWlJmLVVFWTBaaUZiWGxNVmROSnVtdk4yajhGVW1JQVlnTENzZzlqaXZXSVlDUDhkTkVFXzdZaEJmMTFHSEF4ckdYQm1mQzI1Tm1RVkQ2d2M0VWlYTDJvMTlmdm1ITjFTTWg3Vkprb0J2Y2pqUQ&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffile%2F91f8cci743atgwa%2Finstalls64pcworldpro[.]rar%2Ffile&v=xj5kjcXzNzI

Analysis

max time kernel
101s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbS10UDBacDJaZDVpczl2UU9FRFhuaUhWbXpLZ3xBQ3Jtc0tudUtyWlJmLVVFWTBaaUZiWGxNVmROSnVtdk4yajhGVW1JQVlnTENzZzlqaXZXSVlDUDhkTkVFXzdZaEJmMTFHSEF4ckdYQm1mQzI1Tm1RVkQ2d2M0VWlYTDJvMTlmdm1ITjFTTWg3Vkprb0J2Y2pqUQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffile%2F91f8cci743atgwa%2Finstalls64pcworldpro.rar%2Ffile&v=xj5kjcXzNzI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4708	Installx64.exe
1780	Installx64.exe
3704	civilnaturov.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Installx64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Installx64.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Installx64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Installx64.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2c9ba0669e45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "124"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A9A16CF-C36D-11ED-ABF7-6201C35E5273} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4017754453"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4030097753"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "111"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a970000000002000000000010660000000100002000000089eb23987dd0fa8b8612f65473eb4d02b41d217ca977a5323ee2530c9c29910a000000000e8000000002000020000000bc43bbec41ba9ef7056fdb057396f5068ea22688438a55aa5f70054954757d142000000032ee0b2dfa3787ed026aaec1f01e48b007623ffa6492b7cfdbca9e8695ce7f204000000011228db31cc9a1e7b2616cfaf79b122c5eac546998e5b0c6b6b88095e2dd8adfa8f9f5f72d84147b0645d82e9c8de518c3034bbede1816b0eceb6b8cc62ce175	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a97000000000200000000001066000000010000200000000ac2b6af460cacdccf9f94daef1c427a05f2b68df6ab7931ca4ddea679bda3b4000000000e8000000002000020000000571b1be31c5e48b868f2afd1dbff2757a85d510d607e2012b827bac0189fcf402000000052a072df6f5664eaad38d6f166ffedb6dddd8821c1b4ea2fa5e38d346cf891c940000000ddd15dc382b7e03f810fa5d347b6b25879c23b7f37531ac2ac095144f972487b029b9830a96574d69cfb1274a4ae1d35d6a1949eb63dc12c1c2734f06973ef05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f06ca5f17957d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4017754453"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Cache = b104000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31020921"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "111"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31020921"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "111"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "51"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "51"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cb94f17957d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31020921"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "51"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{E721F01B-E7A6-48DE-AA80-05FFF62C7F47}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	iexplore.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3036	7zG.exe
Token: 35	3036	7zG.exe
Token: SeSecurityPrivilege	3036	7zG.exe
Token: SeSecurityPrivilege	3036	7zG.exe
Token: SeDebugPrivilege	3704	civilnaturov.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2224	iexplore.exe
2224	iexplore.exe
3036	7zG.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2224	iexplore.exe
2224	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
4708	Installx64.exe
1780	Installx64.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1500	2224	iexplore.exe	86
PID 2224 wrote to memory of 1500	2224	iexplore.exe	86
PID 2224 wrote to memory of 1500	2224	iexplore.exe	86
PID 4708 wrote to memory of 3704	4708	Installx64.exe	102
PID 4708 wrote to memory of 3704	4708	Installx64.exe	102
PID 4708 wrote to memory of 3704	4708	Installx64.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbS10UDBacDJaZDVpczl2UU9FRFhuaUhWbXpLZ3xBQ3Jtc0tudUtyWlJmLVVFWTBaaUZiWGxNVmROSnVtdk4yajhGVW1JQVlnTENzZzlqaXZXSVlDUDhkTkVFXzdZaEJmMTFHSEF4ckdYQm1mQzI1Tm1RVkQ2d2M0VWlYTDJvMTlmdm1ITjFTTWg3Vkprb0J2Y2pqUQ&q=https%3A%2F%2Fwww.mediafire.com%2Ffile%2F91f8cci743atgwa%2Finstalls64pcworldpro.rar%2Ffile&v=xj5kjcXzNzI
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\installs64pcworldpro\" -spe -an -ai#7zMap7417:102:7zEvent10487
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3036

C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe
"C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\civilnaturov.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\civilnaturov.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    PID:3368

C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe
"C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\civilnaturov.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\civilnaturov.exe
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\DFUBOOOL\www.mediafire[1].xml

Filesize
1KB

MD5
3d84b73cd2448a584f5f82a987c4f719

SHA1
2161ef88766b1bb37cd23df9ed077232e7d0c109

SHA256
9bbdca019706133056e159c095a2197d1555256b4ce0e15a045c3713442ab532

SHA512
b5ea9c86e6a1207170d8263ab9c3d480a9facd0f79bf8841e77a64d026ca88dcffe788fe1fb253a68d81eeb93e084bd82e0bfc3bd30f66d690eada3098ec4c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dcpq11e\imagestore.dat

Filesize
478B

MD5
ea20896eed28f479964cd92c011f34ab

SHA1
f8f08d90bf84b8d0305cf7e4e5f76e1600a9682a

SHA256
56d7e2605a579d7c8584cb389da6bd84c3198a04c581e891c1e87ee5d1c1270e

SHA512
791b9c46f76f11901144a7603886f34d3677df6c16eceddad8fdf81d874112451c8b03bb8e84f77bba72a84cbef39c33eec23110140785440a9434be44b3a011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S64KWKX9\favicon_32[1].png

Filesize
348B

MD5
3a880420311ad60097059ffc0fc53393

SHA1
7644b902864c4ba3604f61e0880e05da15ab464f

SHA256
571c382651d6337cd5fa49c512d02f0f99d523a896b87175fb59c710e1fcbc7a

SHA512
c16652970d04b7b76f7e7ef5a8d091984a13406cf7f5475cc3cfa3ecae3278c19be5494be39a8e549978b0675d1c70f69cc1413de9240487943d91965aff17d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\civilnaturov.exe

Filesize
109.4MB

MD5
ceb0d5fa4036a32c38929e26099c30ae

SHA1
24d9628ad2669dcdea1562f9b78c0a6d161c1060

SHA256
39fa68bd6c9cb7aefbaf3ddfede40bf97e5bb471b2c495f2c899b3fc59973a72

SHA512
13617f73f0025a8dbc7445812b7fb621f9970f885ae523dca957564d41e062f1dc1635f6980e05e20ae1fc3ea36ccf96a65cd1f08790f2bcd2156deb16282445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\civilnaturov.exe

Filesize
109.7MB

MD5
2299aab6da063889e51b03cffb722e0c

SHA1
1150608fcb42ab2ce892772a16bc176fced8321a

SHA256
9ba7d5bbb371e53bb7ba2d6db1a1c9ec170da9b6bb67f6d9101cd18f2672fc9a

SHA512
02abb3c914095c4e5ce67730ccedbb5bc89bd02d9440beeb2849cb9927ad931e45e5247e3044c0510a5d038a48e37f21b2ae8fc3aaf39edbc7bfd6bcc0353b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\civilnaturov.exe

Filesize
112.4MB

MD5
b9a8932d8442dc14f38580269fcacefa

SHA1
ca12e6c42ceba0868dafa6a89a6d1249995cff27

SHA256
528e8414ce62a47c58e41b0928148379e979a99b2b2b3808b878e38f785af3e9

SHA512
48053b80f193403c54c323b69f6fccd24d76d90955674a82cf22e959e7892e1b3ea504d8fa150c2d79405414f5d934713739ac82c846b76cc4e3e73b28e72fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\civilnaturov.exe

Filesize
86.6MB

MD5
46a51285c4d8f97e7abab8f85acfb647

SHA1
9f4f358b193b5cca3dd3bea8b5da390f40debe84

SHA256
038ea49209ed5584a348cf1139666acc0246048361166545eefedf564d94b62a

SHA512
32fd101d4465c825ae2e3e4646edba07720911bc3a472cb576dea5d630bf26e1cdb0d373040ee3851961a6233d7debe8b2dc6a36ef87657704d0cac46c3255cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\civilnaturov.exe

Filesize
87.4MB

MD5
aa110e8326f5c8930f93e6f21c28c403

SHA1
4a951d13fa362e904f0538b4d9ccaa41e2255aa7

SHA256
754b046155567e041237236a856241c64d0547ef67ff5aec080e0d62ab2f4f74

SHA512
6adb3d26f562df405eaafc966a314783cea7fb5f9a1d41b456778ba6152aa9b8755bafc027d52ce86a1d1a20291ae2f3c096ff31d2a9c8615a7702827c882cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qln4f4xx.sdq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF472E00209535EA0E.TMP

Filesize
16KB

MD5
b41011087b3bed62863c27db420212a4

SHA1
2eb4923b058c07969abc33a33494d4a88f701518

SHA256
5fec2031629c9c536d37a0fcd4395c312c0dd38e906737e305651af3ac4b33bc

SHA512
c2529c48146c0a8bd1bfc68f1bafa0a9722b47707b69a67678fefbc77d77aa7a5be8afd9d00b491cadaab407809b4225cfa3ca282a3be2bf78dddd0cc0a3c6e1

Download Submit
C:\Users\Admin\Downloads\installs64pcworldpro.rar.orrzrlp.partial

Filesize
37.3MB

MD5
52ca6180e246b095b7f6ddb6d57aff15

SHA1
d4a1e7256ad74f14fe2511baf49bccf39c5f3364

SHA256
056dadba3905f61bc75412eb0ecc46e18bdd63fb7c88805370316cd0f4a6fa85

SHA512
1c58309b008e357f06508b7399e045a609aa2b817b2426ef44e33dbc8dc582e8f59c434aeea3da1e354438d5de71bfaf318915ed730a1c35b96770b619cc3f77

Download Submit
C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe

Filesize
291.0MB

MD5
96c4381b75029599f8d4b6e6c130e287

SHA1
1638415f16a28209ef2860795ed7eee0037dfb17

SHA256
ff0846ed9e2d9dd962f36b8494c1278d01e87f72b445a92555cdd78b349fd2d2

SHA512
fd8f41e3b4a0ff0e4b9d9eea73de2e8abd9cc4fbf1c09ad98d13994e09343ed5837928a9e7e38953e55727b9e1e444a52bc48d45a9ad141a1fea0a35a9d341ac

Download Submit
C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe

Filesize
285.7MB

MD5
d88a7ed211b15e30af24a2d9d3d36ec3

SHA1
c307f299f5f673cac71c272a9aa408e767b55a93

SHA256
711c46a586ec7ef2158a3d4b2e4b4d2c34fc662dc55fbc4fe1827f80b1138f18

SHA512
caff1c0cd1706a0f784126b2570be816125b41ca895dfda4dcc0f1ff423203c050dc300e3878eeded027bdd51a09d4cae328a43776b726359b13031893350798

Download Submit
C:\Users\Admin\Downloads\installs64pcworldpro\Installx64.exe

Filesize
189.9MB

MD5
5e71d054155870d8e391d7f8eb05d18c

SHA1
98872a6ada0c18617076039f23d73cf09560b1ef

SHA256
bfaca1ea888d02b3859a09b53ed7e33013cb50f8fbcbaec0f4e2e2a51eb01aa1

SHA512
d8ad36a491b4e71428df8118c755e4b3177b109cfd944673bc0ff25b09404753eaceeb862191636b0406cae8f7cd1f8784a62532072f0ab8fb6527a6121920fc

Download Submit
C:\Users\Admin\Downloads\installs64pcworldpro\med\App\DiffImg\test\img1\yuv\tulips_yuv444_prog_planar_qcif_176x144.yuv

Filesize
445KB

MD5
0eadafd0e08e19c9ddae64185076706a

SHA1
0b9f6bfc88139e6ced5fcde15edc68a51556ea8b

SHA256
821528d4d1cfddfa314d6e8d1d85ee4520dd3f4c13650fcd71c9e17ec32a02fb

SHA512
b948897ffc0dfaf0f116d63f677a5656dd37a640e49de59c44b9f8b2e76c8ea6857025519094a5ee886cec9b9edc6e65d2bb82ae1518500da96b1fb1a5825d4b

Download Submit
memory/844-550-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/844-549-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/844-555-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download
memory/1608-527-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/1608-569-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3368-539-0x00000000059E0000-0x00000000059FE000-memory.dmp

Filesize
120KB

Download
memory/3368-568-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3368-528-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/3368-529-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/3368-526-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3368-523-0x00000000020F0000-0x0000000002126000-memory.dmp

Filesize
216KB

Download
memory/3368-524-0x0000000004BC0000-0x00000000051E8000-memory.dmp

Filesize
6.2MB

Download
memory/3368-525-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3368-551-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3368-552-0x0000000007010000-0x000000000768A000-memory.dmp

Filesize
6.5MB

Download
memory/3368-553-0x0000000005EF0000-0x0000000005F0A000-memory.dmp

Filesize
104KB

Download
memory/3368-567-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/3704-517-0x00000000004F0000-0x0000000000538000-memory.dmp

Filesize
288KB

Download
memory/3704-554-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/3704-518-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/3704-519-0x00000000064F0000-0x0000000006512000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads