fdb18d128decf596a3670a3407e9afb6c0320daa40f5e2ebc9bacb94b0d755b6

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2FastBetVN.exe
Size

151KB
MD5

3fbc8e17cb9da2415668bcc9c22f88b0
SHA1

66879710e62797c06013c7ca924432e3295975e7
SHA256

fdb18d128decf596a3670a3407e9afb6c0320daa40f5e2ebc9bacb94b0d755b6
SHA512

0e27c3671709bac901cd669de232580b9a91fc9c6f68b837fbd2ceb5c2f8901c6fd3785255669563ed457ca2000975bc6b461d12939ab7e21d3de700720ec97c
SSDEEP

3072:xyqBXv8zjxf5GWp1icKAArDZz4N9GhbkrNEk1uN:vu7p0yN90QED

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\es-ES\ULIAGPKX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\ws2ifsl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\UAGP35.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\GAGP30KX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rndismp6.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\parport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mssmbios.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\smclib.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiscap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wanarp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pnpmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fastfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fileinfo.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\rndismp6.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\bthpan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ataport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pacer.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\null.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RDPCDD.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\fltmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wacompen.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tsusbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\acpi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\ataport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\serscan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\appid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\amdide.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\NV_AGP.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\umbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\es-ES\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\vhdmp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\termdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\pci.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\http.sys.mui	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2FastBetVN.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\en-US\mssign32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ntprint.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\efsadu.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dmdlgs.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\gpapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\VaultSysUi.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\prnnr002.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY3~3.INF\Amd64\KYUD6030.GDL	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\wisptis.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\ksproxy.ax.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\NCProv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Wpc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\AltTab.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\dnscmmc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNGT0~2.INF\Amd64\GSC25006.GPD	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\tscfgwmi.mfl	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\PROFES~2\license.rtf	cmd.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wpdfs.mof	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WINDOW~1\v1.0\en-US\about_Variables.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\BthpanContextHandler.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\wkssvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\iphlpapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\modemui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\fvecpl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ras\switch.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\HOMEPR~3\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnle004.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIACN0~1.INF\CNHC730S.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\rdvgumd32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\netiougc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\ActionCenter.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wiadefui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\prnhp005.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\dnsapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\netbvbda.inf_loc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en-US\azroleui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\WinMgmtR.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\netiohlp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\xrWPcpst.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\packager.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\cic.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\INSTAL~1\setupdir\0011\_setup.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\pshed.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\UIRibbon.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\unregmp2.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\zh-CN\d2d1.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\api-ms-win-security-lsalookup-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\Magnification.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\et-EE\comdlg32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\WmiApSrv.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnlx003.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\AxInstSv.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\fc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\mf3216.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\perfmon.msc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY3~2.INF\prnky303.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNNR0~2.INF\Amd64\NR25006.GPD	cmd.exe
File opened for modification	C:\Windows\System32\C_10010.NLS	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\pcmcia.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\sysmon.ocx	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRD56E~1.INF\Amd64\EP0NGP9H.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\STI~1.INF\serscan.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\DLMANI~1\Microsoft-Windows-WlanSvc-DL.man	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\INTERN~1\DiagnosticsHub.DataWarehouse.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\25.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\btn_search_down.png	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\SPEECH~1\MICROS~1\TTS20\MSTTSEngine.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\OLEDB~1\msdaosp.dll	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\DEVICE~1\Task\{07DEB~1\it-IT\resource.xml	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\DEVICE~1\Task\{E35BE~1\en-US\resource.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\FSDEFI~1\symbols\symbase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\nav_leftarrow.png	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\fr-FR\js\localizedStrings.js	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Net.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\fr-FR\wordpad.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\js\localizedStrings.js	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\timer_up.png	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\RSSFEE~1.GAD\es-ES\settings.html	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\DEVICE~1\Task\{07DEB~1\de-DE\resource.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\tipskins.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\fr-FR\msinfo32.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\System\ado\msadox.dll	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\en-US\DVDMaker.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI0FCF~1\JNTFiltr.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\ja-JP\calendar.html	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\System\OLEDB~1\oledbvbs.inc	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_single.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyGirl\16_9-frame-image-mask.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\SportsScenesBackground_PAL.wmv	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\trad.png	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\REDIST~1\FrameworkList.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WINDOW~1\wab.exe	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\Images\shuffle_up.png	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.Data.Services.Client.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\fr-FR\js\settings.js	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Data.Linq.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Web.Entity.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.Build.Conversion.v3.5.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\it-IT\gadget.xml	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\js\library.js	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\es-ES\js\highDpiImageSwap.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\es-ES\js\settings.js	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\timer_over.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\photoedge_videoinset.png	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\RESIZI~1\1047x576black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WI54FB~1\fr-FR\WMPDMCCore.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\info.gif	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\en-US\rtscom.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\OLEDB~1\en-US\sqlxmlx.rll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\de-DE\js\timeZones.js	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\en-US\settings.html	cmd.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\main.css	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\networkinspection.dll	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_box_top.png	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\ShapeCollector.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\TipRes.dll	cmd.exe
File opened for modification	C:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\RECTAN~1\vistabg.png	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\System.ServiceModel.Web.dll	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\System\msadc\msadds.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\OLEDB~1\msxactps.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\WindowsFormsIntegration.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\WI0FCF~1\ja-JP\jnwdui.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WI4223~1\de-DE\sbdrop.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\System\OLEDB~1\msdaurl.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\es-ES\mpvis.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\Microsoft.Ink.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PLA\Rules\fr-FR\Rules.System.Network.xml	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIB14D~1.MUM	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MICEF0~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMBCBF~1.163\fdc.sys	cmd.exe
File opened for modification	C:\Windows\DIAGNO~1\system\HOMEGR~1\es-ES\CL_LocalizationData.psd1	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIEC1C~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMACA2~1.163\WUDFHO~1.MUI	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MICFF5~1.MUM	cmd.exe
File opened for modification	C:\Windows\Media\Windows Hardware Remove.wav	cmd.exe
File opened for modification	C:\Windows\winsxs\AM99EE~1.163\BrFiltUp.sys	cmd.exe
File opened for modification	C:\Windows\ehome\it-IT\WTVConverter.exe.mui	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIC605~1.CAT	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIA94D~1.MUM	cmd.exe
File opened for modification	C:\Windows\ehome\ehres.dll	cmd.exe
File opened for modification	C:\Windows\Fonts\vgafixr.fon	cmd.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\medexptv.h1s	cmd.exe
File opened for modification	C:\Windows\Help\mui\040C\inetsrvmmc.CHM	cmd.exe
File opened for modification	C:\Windows\POLICY~1\de-DE\AddRemovePrograms.adml	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MI6AB3~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AM600E~1.163\TS_HAR~1.PS1	cmd.exe
File opened for modification	C:\Windows\AppPatch\msimain.sdb	cmd.exe
File opened for modification	C:\Windows\POLICY~1\fr-FR\MSI.adml	cmd.exe
File opened for modification	C:\Windows\winsxs\AM7B87~1.163\MSDTC.LOG	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB9FB~1.163\HIDBTH~1.INF	cmd.exe
File opened for modification	C:\Windows\winsxs\AMB362~2.163\OLERES~1.MUI	cmd.exe
File opened for modification	C:\Windows\Fonts\ssef1256.fon	cmd.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Hardware Fail.wav	cmd.exe
File opened for modification	C:\Windows\POLICY~1\MSI.admx	cmd.exe
File opened for modification	C:\Windows\winsxs\AM9693~2.163\BITSAD~1.MUI	cmd.exe
File opened for modification	C:\Windows\PERFOR~1\WinSAT\ShaderCache.vs_1_1	cmd.exe
File opened for modification	C:\Windows\winsxs\AME9F3~1.175\CDOSYS~1.MUI	cmd.exe
File opened for modification	C:\Windows\winsxs\AMFF6E~1.163\INPUT~1.INF	cmd.exe
File opened for modification	C:\Windows\winsxs\AM3437~1.163\mdmrock.inf	cmd.exe
File opened for modification	C:\Windows\winsxs\AME93D~1.163\cmitrust.dll	cmd.exe
File opened for modification	C:\Windows\INSTAL~1\$PATCH~1\Managed\1926E8~1\100~1.402\F_CENT~3	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\PA800E~1.CAT	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MID79A~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AM6808~1.163\CNGPRO~1.DLL	cmd.exe
File opened for modification	C:\Windows\winsxs\AM04BC~1.163\DWM~1.ADM	cmd.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\artcon6.h1s	cmd.exe
File opened for modification	C:\Windows\ja-JP\explorer.exe.mui	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\it\MSBuild.resources.dll	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~2\v3.5\1041\cscompui.dll	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\PACKAG~1.SES	cmd.exe
File opened for modification	C:\Windows\Web\WALLPA~1\Nature\img6.jpg	cmd.exe
File opened for modification	C:\Windows\winsxs\AMAC6D~2.163\CABVIE~1.MUI	cmd.exe
File opened for modification	C:\Windows\inf\ESENT\0410\esentprf.ini	cmd.exe
File opened for modification	C:\Windows\POLICY~1\ja-JP\WinCal.adml	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MI5515~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMA76F~1.163\AMDSBS.inf	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MI925C~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AM8B77~1.163\FAXCN0~1.INF	cmd.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\netwpr.h1s	cmd.exe
File opened for modification	C:\Windows\winsxs\AM5511~2.163\HELP_S~1.H1K	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\en-US\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIFD07~1.MUM	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIB72D~1.CAT	cmd.exe
File opened for modification	C:\Windows\winsxs\AM4124~1.163\IMAGE~1.INF	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\CONFIG\machine.config.default	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\fr\DataSvcUtil.resources.dll	cmd.exe
File opened for modification	C:\Windows\winsxs\AM74E5~1.163\PNPMEM~1.MUI	cmd.exe
File opened for modification	C:\Windows\SERVIC~1\Packages\MIE3B5~1.MUM	cmd.exe
File opened for modification	C:\Windows\winsxs\AMAE52~1.163\DINPUT~1.MUI	cmd.exe
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\sbs_VsaVb7rt.dll	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2024	2300	2FastBetVN.exe	28
PID 2300 wrote to memory of 2024	2300	2FastBetVN.exe	28
PID 2300 wrote to memory of 2024	2300	2FastBetVN.exe	28

C:\Users\Admin\AppData\Local\Temp\2FastBetVN.exe
"C:\Users\Admin\AppData\Local\Temp\2FastBetVN.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\cmd.exe
  cmd /c "destroy.bat"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies termsrv.dll
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\destroy.bat

Filesize
164B

MD5
b45a7c4a06347c272adc225a43e53b04

SHA1
cc67480527e18c82b4896354d285fa3d6ba1000e

SHA256
66b39e56ce0aa29842b178337342195f4ab4e5a8d1cf7d800710b467e447f227

SHA512
c88230442de4710a303f513a3aaf3647611432fb6e263daa5e875a8501ca931907e2b1d1139b45b3d0a804ae038a44f6e08bd317dacaf8e6f0e20ac47ca4a30a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads