Overview

overview

7

Static

static

3

201508181025.scr

windows7-x64

7

201508181025.scr

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2023, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    201508181025.scr

  • Size

    510KB

  • MD5

    94c7105fc53a647d5a694cac27bce921

  • SHA1

    332de33d33b043e4f3f0fde6c39ceff57afd7950

  • SHA256

    41ff4f324b319a1d9fea3948fa804e9a3b12dc12d0ec1b3ee92099cf4ad45c05

  • SHA512

    9657c7b1c0cd9e5fb3dbccc0af550ae953e5870dbc177ad404d49c4dfb6ab8d67212af993e84eb6f39bbdf50cd7e7d8601d2e7f5ce1349e42b592d4ba95e675d

  • SSDEEP

    12288:dLKzKPysMX+I4IA/V/aE5PhLiG5XvktM9pVF2OD:RKealTQjhLVvSSF7D

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\201508181025.scr
    "C:\Users\Admin\AppData\Local\Temp\201508181025.scr" /S
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2600
  • C:\ProgramData\BYKJzaM\fsguidll.exe
    C:\ProgramData\BYKJzaM\fsguidll.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
      2⤵
      • Deletes itself
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\BYKJzaM\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • C:\ProgramData\BYKJzaM\fslapi.dll
    Filesize

    34KB

    MD5

    6e7491e0ef07500a7492fd39edc7171f

    SHA1

    2a64539842c96d8d6000054f5d7bbb214b03abd4

    SHA256

    96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

    SHA512

    16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

    Download Submit

  • C:\ProgramData\BYKJzaM\fslapi.dll
    Filesize

    34KB

    MD5

    6e7491e0ef07500a7492fd39edc7171f

    SHA1

    2a64539842c96d8d6000054f5d7bbb214b03abd4

    SHA256

    96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

    SHA512

    16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

    Download Submit

  • C:\ProgramData\BYKJzaM\fslapi.dll.gui
    Filesize

    118KB

    MD5

    8d0ba0ad40b2888c3940eb3bd5f15103

    SHA1

    d95fc1edad1c44a328e98deb753b949ee0c40f0d

    SHA256

    acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

    SHA512

    1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

    Download Submit

  • C:\ProgramData\BYKJzaM\fslapi.dll.gui
    Filesize

    118KB

    MD5

    8d0ba0ad40b2888c3940eb3bd5f15103

    SHA1

    d95fc1edad1c44a328e98deb753b949ee0c40f0d

    SHA256

    acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

    SHA512

    1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

    Download Submit

  • C:\ProgramData\BYKJzaM\spjboagdp
    Filesize

    1KB

    MD5

    cb58997909932d0835f7b6e37ccfdbe8

    SHA1

    63e28406c6b34d62f6738c68017cea61709b1968

    SHA256

    bc3c6a77cdff0d3dabdb13ecff89bea5fd692200f4bc19138e4ed514eed13b01

    SHA512

    0cf2ed35dfe13e915d4972f6d5688b0449d176e7c32567745c5e055e712e28f7c5cf7096741e46940cc8332c728e4d22afb978bf2bfd82a0e9dfc2b11c722b69

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll
    Filesize

    34KB

    MD5

    6e7491e0ef07500a7492fd39edc7171f

    SHA1

    2a64539842c96d8d6000054f5d7bbb214b03abd4

    SHA256

    96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

    SHA512

    16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll.gui
    Filesize

    118KB

    MD5

    8d0ba0ad40b2888c3940eb3bd5f15103

    SHA1

    d95fc1edad1c44a328e98deb753b949ee0c40f0d

    SHA256

    acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

    SHA512

    1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

    Download Submit

  • \ProgramData\BYKJzaM\fslapi.dll
    Filesize

    34KB

    MD5

    6e7491e0ef07500a7492fd39edc7171f

    SHA1

    2a64539842c96d8d6000054f5d7bbb214b03abd4

    SHA256

    96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

    SHA512

    16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
    Filesize

    454KB

    MD5

    2d7a648ebe64e536944c011c8dcbb375

    SHA1

    f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

    SHA256

    5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

    SHA512

    cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll
    Filesize

    34KB

    MD5

    6e7491e0ef07500a7492fd39edc7171f

    SHA1

    2a64539842c96d8d6000054f5d7bbb214b03abd4

    SHA256

    96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

    SHA512

    16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

    Download Submit

  • memory/1580-101-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1580-98-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1580-94-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1580-96-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1580-92-0x0000000000670000-0x0000000000684000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1580-91-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1580-97-0x00000000003C0000-0x00000000003F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2468-42-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2468-44-0x0000000001E00000-0x0000000001F00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2468-46-0x0000000000280000-0x00000000002B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2468-95-0x0000000000280000-0x00000000002B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-56-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-67-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-54-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-55-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-110-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-57-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-58-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-62-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-77-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-78-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-49-0x0000000000FD0000-0x0000000000FFC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2556-76-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-75-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-74-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-73-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-72-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-69-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-70-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-68-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-109-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-66-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-65-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-51-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-50-0x0000000000080000-0x000000000009D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2556-48-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-47-0x0000000000080000-0x000000000009D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2556-108-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-107-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-106-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-100-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-105-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-102-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2556-103-0x0000000000150000-0x0000000000180000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2600-21-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2600-23-0x0000000001F90000-0x0000000002090000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2600-24-0x00000000003B0000-0x00000000003E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2600-25-0x00000000003B0000-0x00000000003E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2600-53-0x0000000001F90000-0x0000000002090000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2600-52-0x00000000003B0000-0x00000000003E0000-memory.dmp

    Filesize

    192KB

    Download