9a011991b5afef9feae6f13faa7e04e7a708aa010b47e405bd9266bfc1b0c8c2

Analysis

max time kernel
84s
max time network
74s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file_access_monitor_setup.exe
Size

4.1MB
MD5

40145e48b1df0d0a2c996e3608693205
SHA1

11a86ac7c2e8a0bc8194851027836671143ac1cb
SHA256

9a011991b5afef9feae6f13faa7e04e7a708aa010b47e405bd9266bfc1b0c8c2
SHA512

800fcbe4fd1c3d796a1fd9e63094d20093dbb536ead5d9b61e08085b28b6dee463e28dc83a0b30a1348743e2dafd0326637fd95bd8747ac86fd56c09f0c79bcb
SSDEEP

98304:gL0g15ysxQwbo+pvBxVI4haEsCEPwa+v1lqLxjN:gLT59xQMjjVDhDfa+v/qLxp

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4460	netsh.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\SoftPerfect File Access Monitor\is-6URB4.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-75B8C.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\unins000.dat	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-T0MNE.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-UBVV4.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-I86DC.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-OSGNR.tmp	file_access_monitor_setup.tmp
File opened for modification	C:\Program Files\SoftPerfect File Access Monitor\unins000.dat	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-A347Q.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-0PDFQ.tmp	file_access_monitor_setup.tmp
File created	C:\Program Files\SoftPerfect File Access Monitor\is-LVAT0.tmp	file_access_monitor_setup.tmp

Executes dropped EXE 6 IoCs

pid	Process
4624	file_access_monitor_setup.tmp
204	install.exe
2088	FAMCore.exe
1472	FAMCore.exe
4840	FAMCore.exe
3356	FAMGUI.exe

Loads dropped DLL 7 IoCs

pid	Process
204	install.exe
2088	FAMCore.exe
2088	FAMCore.exe
1472	FAMCore.exe
1472	FAMCore.exe
4840	FAMCore.exe
4840	FAMCore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
204	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	204	install.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4624	file_access_monitor_setup.tmp

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4624	384	file_access_monitor_setup.exe	70
PID 384 wrote to memory of 4624	384	file_access_monitor_setup.exe	70
PID 384 wrote to memory of 4624	384	file_access_monitor_setup.exe	70
PID 4624 wrote to memory of 2840	4624	file_access_monitor_setup.tmp	71
PID 4624 wrote to memory of 2840	4624	file_access_monitor_setup.tmp	71
PID 2840 wrote to memory of 4360	2840	net.exe	73
PID 2840 wrote to memory of 4360	2840	net.exe	73
PID 4624 wrote to memory of 204	4624	file_access_monitor_setup.tmp	74
PID 4624 wrote to memory of 204	4624	file_access_monitor_setup.tmp	74
PID 4624 wrote to memory of 2088	4624	file_access_monitor_setup.tmp	76
PID 4624 wrote to memory of 2088	4624	file_access_monitor_setup.tmp	76
PID 2088 wrote to memory of 1472	2088	FAMCore.exe	77
PID 2088 wrote to memory of 1472	2088	FAMCore.exe	77
PID 4624 wrote to memory of 4460	4624	file_access_monitor_setup.tmp	80
PID 4624 wrote to memory of 4460	4624	file_access_monitor_setup.tmp	80
PID 4624 wrote to memory of 3356	4624	file_access_monitor_setup.tmp	82
PID 4624 wrote to memory of 3356	4624	file_access_monitor_setup.tmp	82

C:\Users\Admin\AppData\Local\Temp\file_access_monitor_setup.exe
"C:\Users\Admin\AppData\Local\Temp\file_access_monitor_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\is-0Q9DC.tmp\file_access_monitor_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0Q9DC.tmp\file_access_monitor_setup.tmp" /SL5="$5022A,3929571,121344,C:\Users\Admin\AppData\Local\Temp\file_access_monitor_setup.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop FAMService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FAMService
      4⤵
      PID:4360
- - C:\Program Files\SoftPerfect File Access Monitor\install.exe
    "C:\Program Files\SoftPerfect File Access Monitor\install.exe" /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:204
- - C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe
    "C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe" /sinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe
      "C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe" /INSTALL /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1472
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="SoftPerfect File Access Monitor Service" dir=in action=allow program="C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4460
- - C:\Program Files\SoftPerfect File Access Monitor\FAMGUI.exe
    "C:\Program Files\SoftPerfect File Access Monitor\FAMGUI.exe"
    3⤵
    - Executes dropped EXE
    PID:3356

C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe
"C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe

Filesize
4.8MB

MD5
e87c1c2e4bf7f5c5f66b37ea6b02510d

SHA1
3b28328f009a8abcb497e6c0774150416dce4f12

SHA256
3397538975a8122dff137c808d7305174c03e1a74d76f45873e709c84bd22e27

SHA512
5c93b8b3498cb17edc6addbc93e8cfb115fadf4c21a60b928cdc508648ded588106bfe8ac0866c9edb938094ffa382c6ac70f1c8bdfd45b4dcaddcfdcb469841

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe

Filesize
4.8MB

MD5
e87c1c2e4bf7f5c5f66b37ea6b02510d

SHA1
3b28328f009a8abcb497e6c0774150416dce4f12

SHA256
3397538975a8122dff137c808d7305174c03e1a74d76f45873e709c84bd22e27

SHA512
5c93b8b3498cb17edc6addbc93e8cfb115fadf4c21a60b928cdc508648ded588106bfe8ac0866c9edb938094ffa382c6ac70f1c8bdfd45b4dcaddcfdcb469841

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe

Filesize
4.8MB

MD5
e87c1c2e4bf7f5c5f66b37ea6b02510d

SHA1
3b28328f009a8abcb497e6c0774150416dce4f12

SHA256
3397538975a8122dff137c808d7305174c03e1a74d76f45873e709c84bd22e27

SHA512
5c93b8b3498cb17edc6addbc93e8cfb115fadf4c21a60b928cdc508648ded588106bfe8ac0866c9edb938094ffa382c6ac70f1c8bdfd45b4dcaddcfdcb469841

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMCore.exe

Filesize
4.8MB

MD5
e87c1c2e4bf7f5c5f66b37ea6b02510d

SHA1
3b28328f009a8abcb497e6c0774150416dce4f12

SHA256
3397538975a8122dff137c808d7305174c03e1a74d76f45873e709c84bd22e27

SHA512
5c93b8b3498cb17edc6addbc93e8cfb115fadf4c21a60b928cdc508648ded588106bfe8ac0866c9edb938094ffa382c6ac70f1c8bdfd45b4dcaddcfdcb469841

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMGUI.exe

Filesize
5.6MB

MD5
c45054bef4fa37fb354de30d738521b9

SHA1
856ae79e8b1869464b577418936dcadaa2abcea7

SHA256
4cd8f832ad2e0d0a3f232bcce52f258af253c44da42d6f98456a87082112bec6

SHA512
593e257156c964a6cee4a6caa72987ffd5b9d3afb20f6f1e9bf38120fc8a566482a6dbbf4e3a2986d9f58427ee69ba3ffedd67e6eed4dcc98ea52da134221da8

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMGUI.exe

Filesize
5.6MB

MD5
c45054bef4fa37fb354de30d738521b9

SHA1
856ae79e8b1869464b577418936dcadaa2abcea7

SHA256
4cd8f832ad2e0d0a3f232bcce52f258af253c44da42d6f98456a87082112bec6

SHA512
593e257156c964a6cee4a6caa72987ffd5b9d3afb20f6f1e9bf38120fc8a566482a6dbbf4e3a2986d9f58427ee69ba3ffedd67e6eed4dcc98ea52da134221da8

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\FAMGUI.exe

Filesize
5.6MB

MD5
c45054bef4fa37fb354de30d738521b9

SHA1
856ae79e8b1869464b577418936dcadaa2abcea7

SHA256
4cd8f832ad2e0d0a3f232bcce52f258af253c44da42d6f98456a87082112bec6

SHA512
593e257156c964a6cee4a6caa72987ffd5b9d3afb20f6f1e9bf38120fc8a566482a6dbbf4e3a2986d9f58427ee69ba3ffedd67e6eed4dcc98ea52da134221da8

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\fsnklib.dll

Filesize
123KB

MD5
b3386a08a86fa105f1dde4495112172b

SHA1
29ad2b9c6c0f50042101436af965c5ee4701acd5

SHA256
232c83809e8858491ee6bc941f30ab9092bb1c484c1de5e9a92a88862a0ab934

SHA512
a140f4134865af204f6b174ff9e4aa946f3ee3b51850db550824b0b8cddbf6ce12e353850152ebd8b222b4717ae4bed3f57f74cf01784dd7e202644e2fceff2a

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\install.exe

Filesize
99KB

MD5
8098e9ab9900eef4b0c78cc057f5eb6f

SHA1
d8246dcc071e43b34e2281b495d076e3b30d151c

SHA256
adbde5be08465d127b167bb68da6596a90d845d96ad1381812e8b838e0f958bc

SHA512
d3667c3dd9ad2d00389370acffd58a1418407fa3beb889322249cb4ec68a7fd78fe9d10d087e4ed6f16fb3c128c7238fef0bee6e4786a888848bd89abca817f3

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\install.exe

Filesize
99KB

MD5
8098e9ab9900eef4b0c78cc057f5eb6f

SHA1
d8246dcc071e43b34e2281b495d076e3b30d151c

SHA256
adbde5be08465d127b167bb68da6596a90d845d96ad1381812e8b838e0f958bc

SHA512
d3667c3dd9ad2d00389370acffd58a1418407fa3beb889322249cb4ec68a7fd78fe9d10d087e4ed6f16fb3c128c7238fef0bee6e4786a888848bd89abca817f3

Download Submit
C:\Program Files\SoftPerfect File Access Monitor\sqlite.dll

Filesize
794KB

MD5
5bc229a3c39be924e413ba01cc77fb17

SHA1
7f3d0b52527e79c3325c531e78ca6ed249a5eca8

SHA256
b1b0a0b879e4385a4d6d442f13255063c4b52d5f45e4f105a6dcbcf70a25b7be

SHA512
d448d96bd4b2e448debace4da6b71e1e3062b3f34f7f77448a936660ac892d096ea64dcb5102743f2fdef208008816b040649831fe4fe201a6f154d7d276a01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0Q9DC.tmp\file_access_monitor_setup.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0Q9DC.tmp\file_access_monitor_setup.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
\Program Files\SoftPerfect File Access Monitor\fsnklib.dll

Filesize
123KB

MD5
b3386a08a86fa105f1dde4495112172b

SHA1
29ad2b9c6c0f50042101436af965c5ee4701acd5

SHA256
232c83809e8858491ee6bc941f30ab9092bb1c484c1de5e9a92a88862a0ab934

SHA512
a140f4134865af204f6b174ff9e4aa946f3ee3b51850db550824b0b8cddbf6ce12e353850152ebd8b222b4717ae4bed3f57f74cf01784dd7e202644e2fceff2a

Download Submit
\Program Files\SoftPerfect File Access Monitor\fsnklib.dll

Filesize
123KB

MD5
b3386a08a86fa105f1dde4495112172b

SHA1
29ad2b9c6c0f50042101436af965c5ee4701acd5

SHA256
232c83809e8858491ee6bc941f30ab9092bb1c484c1de5e9a92a88862a0ab934

SHA512
a140f4134865af204f6b174ff9e4aa946f3ee3b51850db550824b0b8cddbf6ce12e353850152ebd8b222b4717ae4bed3f57f74cf01784dd7e202644e2fceff2a

Download Submit
\Program Files\SoftPerfect File Access Monitor\fsnklib.dll

Filesize
123KB

MD5
b3386a08a86fa105f1dde4495112172b

SHA1
29ad2b9c6c0f50042101436af965c5ee4701acd5

SHA256
232c83809e8858491ee6bc941f30ab9092bb1c484c1de5e9a92a88862a0ab934

SHA512
a140f4134865af204f6b174ff9e4aa946f3ee3b51850db550824b0b8cddbf6ce12e353850152ebd8b222b4717ae4bed3f57f74cf01784dd7e202644e2fceff2a

Download Submit
\Program Files\SoftPerfect File Access Monitor\fsnklib.dll

Filesize
123KB

MD5
b3386a08a86fa105f1dde4495112172b

SHA1
29ad2b9c6c0f50042101436af965c5ee4701acd5

SHA256
232c83809e8858491ee6bc941f30ab9092bb1c484c1de5e9a92a88862a0ab934

SHA512
a140f4134865af204f6b174ff9e4aa946f3ee3b51850db550824b0b8cddbf6ce12e353850152ebd8b222b4717ae4bed3f57f74cf01784dd7e202644e2fceff2a

Download Submit
\Program Files\SoftPerfect File Access Monitor\sqlite.dll

Filesize
794KB

MD5
5bc229a3c39be924e413ba01cc77fb17

SHA1
7f3d0b52527e79c3325c531e78ca6ed249a5eca8

SHA256
b1b0a0b879e4385a4d6d442f13255063c4b52d5f45e4f105a6dcbcf70a25b7be

SHA512
d448d96bd4b2e448debace4da6b71e1e3062b3f34f7f77448a936660ac892d096ea64dcb5102743f2fdef208008816b040649831fe4fe201a6f154d7d276a01e

Download Submit
\Program Files\SoftPerfect File Access Monitor\sqlite.dll

Filesize
794KB

MD5
5bc229a3c39be924e413ba01cc77fb17

SHA1
7f3d0b52527e79c3325c531e78ca6ed249a5eca8

SHA256
b1b0a0b879e4385a4d6d442f13255063c4b52d5f45e4f105a6dcbcf70a25b7be

SHA512
d448d96bd4b2e448debace4da6b71e1e3062b3f34f7f77448a936660ac892d096ea64dcb5102743f2fdef208008816b040649831fe4fe201a6f154d7d276a01e

Download Submit
\Program Files\SoftPerfect File Access Monitor\sqlite.dll

Filesize
794KB

MD5
5bc229a3c39be924e413ba01cc77fb17

SHA1
7f3d0b52527e79c3325c531e78ca6ed249a5eca8

SHA256
b1b0a0b879e4385a4d6d442f13255063c4b52d5f45e4f105a6dcbcf70a25b7be

SHA512
d448d96bd4b2e448debace4da6b71e1e3062b3f34f7f77448a936660ac892d096ea64dcb5102743f2fdef208008816b040649831fe4fe201a6f154d7d276a01e

Download Submit
memory/384-205-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/384-118-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/384-125-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1472-173-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1472-174-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/2088-196-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/2088-172-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2088-193-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/2088-184-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/3356-202-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3356-206-0x0000000000400000-0x00000000009B1000-memory.dmp

Filesize
5.7MB

Download
memory/3356-207-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4624-169-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4624-198-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4624-128-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4624-127-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4624-204-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4624-123-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4840-181-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/4840-178-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads