77d2e896f2694cf6e302bbc33699d367d87600dc1d5390fb3ff54c8a2c7c2bf4

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

flashplayer_26_sa_debug.exe
Size

16.0MB
MD5

9290afcecb69e231fd7a34440a87116e
SHA1

0bdf91bc20606c0933a6d77e8bed22e3fda8b9b4
SHA256

77d2e896f2694cf6e302bbc33699d367d87600dc1d5390fb3ff54c8a2c7c2bf4
SHA512

115cb6fd4cc1aad33ebbc40e8d41c1b1fed34efc65db30e44492a427d4393a056183bd6ab1684680470e3b9b03900278b7cd55df8a8569f520a5b57d4f907f3b
SSDEEP

393216:70wNm+Qg7rLD65P8G5bN+SLQk2kSKy3+JVZoBIvmf/v:70wNm+QvbN+SLQk3d6Ivun

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	flashplayer_26_sa_debug.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	flashplayer_26_sa_debug.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe,-202"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe\" %1"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe,-608"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe\" %1"	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p\ = "FlashPlayer.ProtectedMediaForFlashPlayer"	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe,-205"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open\command	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a\ = "FlashPlayer.AudioForFlashPlayer"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\DefaultIcon	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe,-203"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe,-204"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe\" %1"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open\command	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe\" %1"	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open\command	flashplayer_26_sa_debug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell	flashplayer_26_sa_debug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer_26_sa_debug.exe\" %1"	flashplayer_26_sa_debug.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1276	flashplayer_26_sa_debug.exe

C:\Users\Admin\AppData\Local\Temp\flashplayer_26_sa_debug.exe
"C:\Users\Admin\AppData\Local\Temp\flashplayer_26_sa_debug.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-67-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download