79f736fc40140c0c94b2da2ec99a437ad827adec22af45ecb8a9af924fa4a739

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a9a4aab2226603cc8ad4d81dc299fa.exe
Size

2.5MB
MD5

44a9a4aab2226603cc8ad4d81dc299fa
SHA1

ea9219503ca35162bec9304210f77f13c77fd176
SHA256

79f736fc40140c0c94b2da2ec99a437ad827adec22af45ecb8a9af924fa4a739
SHA512

e2d02c2f73b7dede45c97630fef051b118ffba012c2e5c45a590bd96e2281fe7acf3bccf0dfbbfba0dc386daa10ed1dbdbcfa2c050d05c8199dd771a3da5a2d0
SSDEEP

49152:rx+1KHkoWgtR4BY8Z9oTIAdjLLnuPh0wkNQjYiGKmXAvWMPbD67aSZcXw7T7e:rxuekByRGKdjLDuZ0wJjNIMWMPS7Biwy

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1188	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
2216	CfosSpeed 4.50 .silverado96..exe
3068	CfosSpeed 4.50 .silverado96..exe
1936	cmd.exe
740	Server.exe
1912	Server.exe
1588	Socks.exe
1556	Socks.exe

Loads dropped DLL 34 IoCs

pid	Process
2376	44a9a4aab2226603cc8ad4d81dc299fa.exe
2376	44a9a4aab2226603cc8ad4d81dc299fa.exe
2216	CfosSpeed 4.50 .silverado96..exe
2216	CfosSpeed 4.50 .silverado96..exe
2216	CfosSpeed 4.50 .silverado96..exe
2216	CfosSpeed 4.50 .silverado96..exe
3068	CfosSpeed 4.50 .silverado96..exe
3068	CfosSpeed 4.50 .silverado96..exe
3068	CfosSpeed 4.50 .silverado96..exe
1936	cmd.exe
2216	CfosSpeed 4.50 .silverado96..exe
2216	CfosSpeed 4.50 .silverado96..exe
2376	44a9a4aab2226603cc8ad4d81dc299fa.exe
2376	44a9a4aab2226603cc8ad4d81dc299fa.exe
740	Server.exe
740	Server.exe
740	Server.exe
1912	Server.exe
1912	Server.exe
1912	Server.exe
740	Server.exe
1912	Server.exe
740	Server.exe
1912	Server.exe
740	Server.exe
1912	Server.exe
1588	Socks.exe
1556	Socks.exe
1588	Socks.exe
1556	Socks.exe
1588	Socks.exe
1556	Socks.exe
1588	Socks.exe
1556	Socks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinsysMon = "C:\\Windows\\SysWOW64\\Socks.exe"	reg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Socks.exe	Server.exe
File created	C:\Windows\SysWOW64\socklink.txt	Server.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe
File opened for modification	C:\Windows\SysWOW64\socklink.txt	Server.exe
File created	C:\Windows\SysWOW64\Socks.exe	Server.exe
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	Server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cFosSpeed_Setup_Log.txt	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b0000000126af-10.dat	nsis_installer_2
behavioral1/files/0x000b0000000126af-9.dat	nsis_installer_2
behavioral1/files/0x000b0000000126af-4.dat	nsis_installer_2
behavioral1/files/0x000b0000000126af-2.dat	nsis_installer_2

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	Server.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	Server.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	Server.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	Server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	Server.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2328	reg.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1556	Socks.exe
1588	Socks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2376 wrote to memory of 2216	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	20
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 2216 wrote to memory of 3068	2216	CfosSpeed 4.50 .silverado96..exe	18
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 3068 wrote to memory of 1936	3068	CfosSpeed 4.50 .silverado96..exe	34
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2216 wrote to memory of 740	2216	CfosSpeed 4.50 .silverado96..exe	42
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 2376 wrote to memory of 1912	2376	44a9a4aab2226603cc8ad4d81dc299fa.exe	41
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 1912 wrote to memory of 1556	1912	Server.exe	39
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 740 wrote to memory of 1588	740	Server.exe	40
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 2540	1556	Socks.exe	38
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1188	1556	Socks.exe	37
PID 1556 wrote to memory of 1936	1556	Socks.exe	34

C:\Users\Admin\AppData\Local\Temp\44a9a4aab2226603cc8ad4d81dc299fa.exe
"C:\Users\Admin\AppData\Local\Temp\44a9a4aab2226603cc8ad4d81dc299fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\nst494.tmp\CfosSpeed 4.50 .silverado96..exe
  "C:\Users\Admin\AppData\Local\Temp\nst494.tmp\CfosSpeed 4.50 .silverado96..exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\nsd4D2.tmp\Server.exe
    C:\Users\Admin\AppData\Local\Temp\nsd4D2.tmp\Server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:740
- C:\Users\Admin\AppData\Local\Temp\nst494.tmp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\nst494.tmp\Server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912

C:\Users\Admin\AppData\Local\Temp\nsd4D2.tmp\CfosSpeed 4.50 .silverado96..exe
"C:\Users\Admin\AppData\Local\Temp\nsd4D2.tmp\CfosSpeed 4.50 .silverado96..exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\$cfsfx.0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\$cfsfx.0\setup.exe" -parentdir:"C:\Users\Admin\AppData\Local\Temp\nsd4D2.tmp\"
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WinsysMon /t REG_SZ /d "C:\Windows\SysWOW64\Socks.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
1⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\hi.bat
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1936

C:\Windows\SysWOW64\netsh.exe
netsh firewall set service type = upnp mode = enable
1⤵
- Modifies Windows Firewall
PID:1188

C:\Windows\SysWOW64\net.exe
net stop wscsvc
1⤵
PID:2540

C:\Windows\SysWOW64\Socks.exe
C:\Windows\system32\Socks.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Socks.exe
C:\Windows\system32\Socks.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst494.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
92KB

MD5
da714484e6af2535c066022ac933a216

SHA1
1ead9f354e746a4e03d9937bdd12dd16ccb26517

SHA256
98034fca0023f7a3bdc3588e9aae263383b73cc7b6e1a7f256b1a207491a05b1

SHA512
51254f5bf0909020f80ce3f19ba6f5b607a6536fc49654a131e14a238d24418f8e1e183decd2c072bc50cc2345d4a5c911044660b89efbd7ca3a20b7f110afca

Download Submit
\Users\Admin\AppData\Local\Temp\nst494.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
384KB

MD5
fefbfe5404e0c4e9549b0c4e7c6a9de2

SHA1
1f6b01637440590adf989fc459a9f25fa0b4fb85

SHA256
f59a477117f48af51ed95c7ad7f8cbf7c0b8aacd6f6ee0a49c5f906067e815df

SHA512
3ceadc6f9fe44af1b6043695c54ee211b4a2d374aaefb2e83f8a6b99194ad86049561f5b162c66bf45657ce7b09e4b72afc7b117aaf0a08a0699641981edbd01

Download Submit
\Users\Admin\AppData\Local\Temp\nst494.tmp\CfosSpeed 4.50 .silverado96..exe

Filesize
382KB

MD5
1202cad1cc401fd5d4245e24e7ee83da

SHA1
4811d837d6cd9253f75e3cc3a5d8be39a36792ec

SHA256
0d8c4b312f628aa1c90679764731cf4e1cfa4f784663971bea998e323cb5e5ca

SHA512
1817b0d7f4a3d95932655a12983f59c12cf0a0f215fd057a4f7ae21140d3d989194d9e6511487ee79bc331066d16bdbd7c179b25157bd652d37ed22f2ae76c62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads