555c80afd45bc9a558a2af29044745fdb84a3c00900d6d47e5725971f260a006

General

Target

filmora_setup_full7598.exe
Size

1.9MB
MD5

13dd51bc806ab1f1bde9484fc7fd6fef
SHA1

2e925afc31308a787cbe6691366675429ad597bf
SHA256

555c80afd45bc9a558a2af29044745fdb84a3c00900d6d47e5725971f260a006
SHA512

5238caede25c98a7a2b97f60728d6c5dc7fd1d2a4f049575a7bf204ccd4e941af6f9cb1f185e5e2421986cd4a947e5fbe55795dcd425ac9bc89fb665ea3a84db
SSDEEP

49152:ziDGQapGSAT03UF3+oSSzG/fvPrvfsTiY2o+NTZ7pKD:ziDGQrkkVNovPjw2o+Ng

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	NFWCHK.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	filmora_setup_full7598.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\MuiCached	filmora_setup_full7598.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	filmora_setup_full7598.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1704	filmora_setup_full7598.exe
1704	filmora_setup_full7598.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2316	1704	filmora_setup_full7598.exe	29
PID 1704 wrote to memory of 2316	1704	filmora_setup_full7598.exe	29
PID 1704 wrote to memory of 2316	1704	filmora_setup_full7598.exe	29
PID 1704 wrote to memory of 2316	1704	filmora_setup_full7598.exe	29

C:\Users\Admin\AppData\Local\Temp\filmora_setup_full7598.exe
"C:\Users\Admin\AppData\Local\Temp\filmora_setup_full7598.exe"
1⤵
- Loads dropped DLL
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
1KB

MD5
a329bb9e614b15e5f8c10fc18bdf213e

SHA1
d3795379f0d505d448ec0ce3dd9d516501891361

SHA256
f466c88013581317e0787f83148a85db29a55b827e989b192c5e315454bf0792

SHA512
40c1786e923fbfd7df6c32fb93eb21f7bf26b2d1db11ce2968409e310886aaa3d31c4ffa1a36dd25a489293d4fccc7cd535facdb8640754ffa0e8d4ed1e1d2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
504B

MD5
ef5a6192f9b572d604b3f3236f5cb72d

SHA1
2caaf8eb997d8a235e4e8cc69de1d9d6938ec8a7

SHA256
7245d9590b0ca2309dcd127ee1ab9db3587f36cc9bf5eb02106bb8f410b6e25a

SHA512
0bf2f1c14bb70df4785df66166a99cd98dede56235cd9bc34ee7ba756360b2a4f1c61a5d2b79239338262fb9309f2f9939823b7f2662534852c32e25851f26ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
5KB

MD5
d00fab5de1104186c53d23ff0c2bd6a7

SHA1
e45cdfbea452fcb00ad850bf8a762ae319917fef

SHA256
2b517153d340017849f697eb3d3ef5646f1ad1cd375a39ee9ffde4e7c1af3189

SHA512
97dbf6dadafda75e093c146c33b75184adf5ca77f1aa936d55ec2b16401b0b40ddf95682610d450ae3e1a511b2831a056cdc45fb3611f1eba086e234b04a5cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
3034da17e7aa91f89f7d1cf75674c3bd

SHA1
34003057aec684204cca78dd3b85979e0b73537f

SHA256
d6a43c8d435b98358dedb6e1af34d5f447494b92f957f3bc73f58c5e2cec56b6

SHA512
1893372c4bc9ba118a701139abbd742ad75a5a1488cd558e0c81c2bd8f26caebcaa1870700b839b2ca57194287cd3d79f7dca58c891e53966a1dc8077f8e6929

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
229B

MD5
ad0967a0ab95aa7d71b3dc92b71b8f7a

SHA1
ed63f517e32094c07a2c5b664ed1cab412233ab5

SHA256
9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc

SHA512
85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
memory/2316-1170-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download
memory/2316-1171-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing