Overview

overview

7

Static

static

3

201508181025.scr

windows7-x64

7

201508181025.scr

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2023, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    201508181025.scr

  • Size

    510KB

  • MD5

    94c7105fc53a647d5a694cac27bce921

  • SHA1

    332de33d33b043e4f3f0fde6c39ceff57afd7950

  • SHA256

    41ff4f324b319a1d9fea3948fa804e9a3b12dc12d0ec1b3ee92099cf4ad45c05

  • SHA512

    9657c7b1c0cd9e5fb3dbccc0af550ae953e5870dbc177ad404d49c4dfb6ab8d67212af993e84eb6f39bbdf50cd7e7d8601d2e7f5ce1349e42b592d4ba95e675d

  • SSDEEP

    12288:dLKzKPysMX+I4IA/V/aE5PhLiG5XvktM9pVF2OD:RKealTQjhLVvSSF7D

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\201508181025.scr
    "C:\Users\Admin\AppData\Local\Temp\201508181025.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4320
  • C:\ProgramData\BYKJzaM\fsguidll.exe
    C:\ProgramData\BYKJzaM\fsguidll.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4496
  • C:\Windows\system32\WerFault.exe
    "C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20230915-0725.dmp
    1⤵
      PID:2896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\BYKJzaM\fsguidll.exe
      Filesize

      454KB

      MD5

      2d7a648ebe64e536944c011c8dcbb375

      SHA1

      f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

      SHA256

      5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

      SHA512

      cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

      Download Submit

    • C:\ProgramData\BYKJzaM\fsguidll.exe
      Filesize

      454KB

      MD5

      2d7a648ebe64e536944c011c8dcbb375

      SHA1

      f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

      SHA256

      5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

      SHA512

      cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

      Download Submit

    • C:\ProgramData\BYKJzaM\fslapi.dll
      Filesize

      34KB

      MD5

      6e7491e0ef07500a7492fd39edc7171f

      SHA1

      2a64539842c96d8d6000054f5d7bbb214b03abd4

      SHA256

      96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

      SHA512

      16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

      Download Submit

    • C:\ProgramData\BYKJzaM\fslapi.dll
      Filesize

      34KB

      MD5

      6e7491e0ef07500a7492fd39edc7171f

      SHA1

      2a64539842c96d8d6000054f5d7bbb214b03abd4

      SHA256

      96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

      SHA512

      16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

      Download Submit

    • C:\ProgramData\BYKJzaM\fslapi.dll
      Filesize

      34KB

      MD5

      6e7491e0ef07500a7492fd39edc7171f

      SHA1

      2a64539842c96d8d6000054f5d7bbb214b03abd4

      SHA256

      96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

      SHA512

      16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

      Download Submit

    • C:\ProgramData\BYKJzaM\fslapi.dll.gui
      Filesize

      118KB

      MD5

      8d0ba0ad40b2888c3940eb3bd5f15103

      SHA1

      d95fc1edad1c44a328e98deb753b949ee0c40f0d

      SHA256

      acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

      SHA512

      1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

      Download Submit

    • C:\ProgramData\BYKJzaM\fslapi.dll.gui
      Filesize

      118KB

      MD5

      8d0ba0ad40b2888c3940eb3bd5f15103

      SHA1

      d95fc1edad1c44a328e98deb753b949ee0c40f0d

      SHA256

      acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

      SHA512

      1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
      Filesize

      454KB

      MD5

      2d7a648ebe64e536944c011c8dcbb375

      SHA1

      f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

      SHA256

      5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

      SHA512

      cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
      Filesize

      454KB

      MD5

      2d7a648ebe64e536944c011c8dcbb375

      SHA1

      f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

      SHA256

      5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

      SHA512

      cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsguidll.exe
      Filesize

      454KB

      MD5

      2d7a648ebe64e536944c011c8dcbb375

      SHA1

      f1ec39dddb224a6a1e40d55c8f6877c908f92bcf

      SHA256

      5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635

      SHA512

      cd11dc48806678264b409c4e3f6a71d8920882dcc5c3d8a7daa53fb5152fb5dbcc8a4694866e61d4cbac10849b0be340baae6525f8c7052f1003b671df60d79f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll
      Filesize

      34KB

      MD5

      6e7491e0ef07500a7492fd39edc7171f

      SHA1

      2a64539842c96d8d6000054f5d7bbb214b03abd4

      SHA256

      96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

      SHA512

      16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll
      Filesize

      34KB

      MD5

      6e7491e0ef07500a7492fd39edc7171f

      SHA1

      2a64539842c96d8d6000054f5d7bbb214b03abd4

      SHA256

      96876d24284ff4e4155a78c043c8802421136afbc202033bf5e80d1053e3833f

      SHA512

      16424ceb6108fe9c9a01662a0c3d888b40c67e33dc3d1380004e805690244aeb22b9f461588920168fd9fd21f795523ff7d54632dcff317e2e61141d2c636b51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fslapi.dll.gui
      Filesize

      118KB

      MD5

      8d0ba0ad40b2888c3940eb3bd5f15103

      SHA1

      d95fc1edad1c44a328e98deb753b949ee0c40f0d

      SHA256

      acdc4987b74fdf7a32dff87d56c43df08cce071b493858e3ce32fcf8d6372837

      SHA512

      1cede998b0494197a54e8c3a5e5fb0dcbb64876e60813718100ec3a79760836f9230826254178481b351a8f177046e2f19408edf203b9d139a664d97dc070e2d

      Download Submit

    • memory/2088-77-0x0000000000F90000-0x0000000000FC0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2088-39-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/2088-43-0x0000000000F90000-0x0000000000FC0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2088-41-0x0000000000E90000-0x0000000000F90000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3396-51-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-64-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-46-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-83-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-74-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-73-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-60-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-49-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-50-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-45-0x00000000005D0000-0x00000000005ED000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3396-52-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-53-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-55-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-57-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-65-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-68-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-66-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-69-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-70-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-44-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-72-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-71-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-63-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-62-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3396-61-0x0000000001310000-0x0000000001340000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4320-48-0x0000000002260000-0x0000000002360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4320-47-0x0000000002080000-0x00000000020B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4320-21-0x0000000002080000-0x00000000020B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4320-18-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4320-20-0x0000000002260000-0x0000000002360000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4496-76-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-78-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-79-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-81-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-82-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-80-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4496-84-0x0000000002560000-0x0000000002590000-memory.dmp

      Filesize

      192KB

      Download