79f736fc40140c0c94b2da2ec99a437ad827adec22af45ecb8a9af924fa4a739

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a9a4aab2226603cc8ad4d81dc299fa.exe
Size

2.5MB
MD5

44a9a4aab2226603cc8ad4d81dc299fa
SHA1

ea9219503ca35162bec9304210f77f13c77fd176
SHA256

79f736fc40140c0c94b2da2ec99a437ad827adec22af45ecb8a9af924fa4a739
SHA512

e2d02c2f73b7dede45c97630fef051b118ffba012c2e5c45a590bd96e2281fe7acf3bccf0dfbbfba0dc386daa10ed1dbdbcfa2c050d05c8199dd771a3da5a2d0
SSDEEP

49152:rx+1KHkoWgtR4BY8Z9oTIAdjLLnuPh0wkNQjYiGKmXAvWMPbD67aSZcXw7T7e:rxuekByRGKdjLDuZ0wJjNIMWMPS7Biwy

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2660	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
2132	CfosSpeed 4.50 .silverado96..exe
2744	CfosSpeed 4.50 .silverado96..exe
1136	setup.exe
1020	Server.exe
1464	Server.exe
1736	Socks.exe
1764	Socks.exe

Loads dropped DLL 34 IoCs

pid	Process
2368	44a9a4aab2226603cc8ad4d81dc299fa.exe
2368	44a9a4aab2226603cc8ad4d81dc299fa.exe
2132	CfosSpeed 4.50 .silverado96..exe
2132	CfosSpeed 4.50 .silverado96..exe
2132	CfosSpeed 4.50 .silverado96..exe
2132	CfosSpeed 4.50 .silverado96..exe
2744	CfosSpeed 4.50 .silverado96..exe
2744	CfosSpeed 4.50 .silverado96..exe
2744	CfosSpeed 4.50 .silverado96..exe
1136	setup.exe
2132	CfosSpeed 4.50 .silverado96..exe
2132	CfosSpeed 4.50 .silverado96..exe
2368	44a9a4aab2226603cc8ad4d81dc299fa.exe
2368	44a9a4aab2226603cc8ad4d81dc299fa.exe
1020	Server.exe
1020	Server.exe
1020	Server.exe
1464	Server.exe
1464	Server.exe
1464	Server.exe
1020	Server.exe
1464	Server.exe
1020	Server.exe
1464	Server.exe
1020	Server.exe
1464	Server.exe
1736	Socks.exe
1764	Socks.exe
1764	Socks.exe
1736	Socks.exe
1764	Socks.exe
1736	Socks.exe
1764	Socks.exe
1736	Socks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinsysMon = "C:\\Windows\\SysWOW64\\Socks.exe"	reg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe
File opened for modification	C:\Windows\SysWOW64\socklink.txt	Server.exe
File created	C:\Windows\SysWOW64\Socks.exe	Server.exe
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe
File created	C:\Windows\SysWOW64\socklink.txt	Server.exe
File opened for modification	C:\Windows\SysWOW64\Socks.exe	Server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cFosSpeed_Setup_Log.txt	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000015f7a-10.dat	nsis_installer_2
behavioral1/files/0x000a000000015f7a-9.dat	nsis_installer_2
behavioral1/files/0x000a000000015f7a-8.dat	nsis_installer_2
behavioral1/files/0x000a000000015f7a-7.dat	nsis_installer_2
behavioral1/files/0x000a000000015f7a-4.dat	nsis_installer_2
behavioral1/files/0x000a000000015f7a-2.dat	nsis_installer_2

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	Server.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2200	reg.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1736	Socks.exe
1764	Socks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2368 wrote to memory of 2132	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2132 wrote to memory of 2744	2132	CfosSpeed 4.50 .silverado96..exe	18
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2744 wrote to memory of 1136	2744	CfosSpeed 4.50 .silverado96..exe	19
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2132 wrote to memory of 1020	2132	CfosSpeed 4.50 .silverado96..exe	42
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2368 wrote to memory of 1464	2368	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1020 wrote to memory of 1764	1020	Server.exe	40
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1464 wrote to memory of 1736	1464	Server.exe	39
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2216	1736	Socks.exe	38
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 2660	1736	Socks.exe	37
PID 1736 wrote to memory of 1612	1736	Socks.exe	34

C:\Users\Admin\AppData\Local\Temp\44a9a4aab2226603cc8ad4d81dc299fa.exe
"C:\Users\Admin\AppData\Local\Temp\44a9a4aab2226603cc8ad4d81dc299fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe
  "C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\nsd198A.tmp\Server.exe
    C:\Users\Admin\AppData\Local\Temp\nsd198A.tmp\Server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1020
- C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\Server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464

C:\Users\Admin\AppData\Local\Temp\nsd198A.tmp\CfosSpeed 4.50 .silverado96..exe
"C:\Users\Admin\AppData\Local\Temp\nsd198A.tmp\CfosSpeed 4.50 .silverado96..exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\$cfsfx.0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\$cfsfx.0\setup.exe" -parentdir:"C:\Users\Admin\AppData\Local\Temp\nsd198A.tmp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
1⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinsysMon /t REG_SZ /d "C:\Windows\SysWOW64\Socks.exe" /f
1⤵
- Adds Run key to start application
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hi.bat
1⤵
PID:1612

C:\Windows\SysWOW64\netsh.exe
netsh firewall set service type = upnp mode = enable
1⤵
- Modifies Windows Firewall
PID:2660

C:\Windows\SysWOW64\net.exe
net stop wscsvc
1⤵
PID:2216

C:\Windows\SysWOW64\Socks.exe
C:\Windows\system32\Socks.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\Socks.exe
C:\Windows\system32\Socks.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
887KB

MD5
3ed33279383580f9a7a2282ec781f180

SHA1
f0310e7e4e739e4f1d6a125250c1636b88230bed

SHA256
48e73b96ced337eb5f9ec0e9d1f7e007d8ff848f612e22112d264a4bd003349b

SHA512
e4c3bb72ffba18939979022183f7cda953e32b9e62b99b92c67c5852498fed0c77bca7c31a98b3e531e946ddbb4093832b8acafa9f61e66fede11a8684714739

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
377KB

MD5
94a83138339663d6022c0002d05eed63

SHA1
229b14935edb1c633659e8883511bc5849966bea

SHA256
3bf09bd63cc9c8ebad2d59f16e8f778398e01c666965a96a68168ba3c0c1655e

SHA512
31930d4df62429fa42a9b9f011897760a8da3f2902a64c4709018ff374b3fd9ca40ad4de7d201397ce79fd9756b69ae9fb188e17e9d92b0e33f06723e5a24218

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
93KB

MD5
98e06f6388ee96126d5037bad63b5c1f

SHA1
577707516ffdbf68e6fc65ff80c07f1bb10c6284

SHA256
209990549ea60ea7fd2094c762aa3759ed8ca52cb8a1ec885c930a1948b63f32

SHA512
92a53c3275cec6e7ac240a21e1ac228ad179bfc09f2fef1d5ce54f9d1777a039272da154115e8a46d9261e60e0691cfdaf303162fd3d75ce40ff6a23bf57c3c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
92KB

MD5
da714484e6af2535c066022ac933a216

SHA1
1ead9f354e746a4e03d9937bdd12dd16ccb26517

SHA256
98034fca0023f7a3bdc3588e9aae263383b73cc7b6e1a7f256b1a207491a05b1

SHA512
51254f5bf0909020f80ce3f19ba6f5b607a6536fc49654a131e14a238d24418f8e1e183decd2c072bc50cc2345d4a5c911044660b89efbd7ca3a20b7f110afca

Download Submit
\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
890KB

MD5
db4988f47a001a6bb627880a2b564e9e

SHA1
012c933379b8523ef304c4c8288b43a8c13ae3c8

SHA256
0766ecfb3a3792afc330f0ebb653f1c41ae65cb99d0718d860510d220d5778e5

SHA512
bc1cdf73f58f30c5e73340822b4a4b161734fa4aa3eadf25904bdbbb04a65f9f7c46fae3aa49d2a101b32999563c7b9610f893bd20a755ef939929f2f72154a4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd193C.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
893KB

MD5
107bd79a7cc8d26db8d09eb1d287dcaa

SHA1
7bfce615e2cfa98322cb1d4e46b6556ea94d5f47

SHA256
e0bf86c3a3579a81ccf7c197def1cade8f6da56319dcf019e32d20457d4e185f

SHA512
ac72b3b97e25f1a336872e0335ebca67a052270d2eaf1226cc1646aaa0ca44b8c692851505e438b9f8d146264bb4f624e8ef63cffab7d09d8e7f92379ad58a15

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads