a37eaa964771b1758ebb1bc8152eb3f12caf9dc78dac2b216b751480e2959ec7

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f6178506322bd3a90e16bb639063c9.exe
Size

356KB
MD5

74f6178506322bd3a90e16bb639063c9
SHA1

d102a2fde1d7f2ecbc7ccd96a0d38d823467a8e8
SHA256

a37eaa964771b1758ebb1bc8152eb3f12caf9dc78dac2b216b751480e2959ec7
SHA512

9b9d930af7df94f282fc757cff8d4cbd4575006cb19909eb5966366ffce949229cab40210347fe1b145a2569c3c3278ed41f8382f7efedb0176dc07774169985
SSDEEP

6144:EPdZhqkK3+K0WZNDZpgY70T0ovhabXv4snfBKAwJLeOnAXMuSvy:WWkKuxYDMY77o5abfDnpKAwWXDay

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

SeFastInstall2_3218.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exe

pid process

2572 SeFastInstall2_3218.exe
3036 BECA628C.exe
2696 BECA628C.exe
2760 BECA628C.exe
1988 BECA628C.exe
2288 BECA628C.exe
1960 BECA628C.exe
688 BECA628C.exe

pid	process
2572	SeFastInstall2_3218.exe
3036	BECA628C.exe
2696	BECA628C.exe
2760	BECA628C.exe
1988	BECA628C.exe
2288	BECA628C.exe
1960	BECA628C.exe
688	BECA628C.exe

Loads dropped DLL 49 IoCs

Processes:

74f6178506322bd3a90e16bb639063c9.exeSeFastInstall2_3218.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exeBECA628C.exe

pid	process
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2572	SeFastInstall2_3218.exe
2572	SeFastInstall2_3218.exe
2572	SeFastInstall2_3218.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
3036	BECA628C.exe
3036	BECA628C.exe
3036	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2696	BECA628C.exe
2696	BECA628C.exe
2696	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2760	BECA628C.exe
2760	BECA628C.exe
2760	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
1988	BECA628C.exe
1988	BECA628C.exe
1988	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2288	BECA628C.exe
2288	BECA628C.exe
2288	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
1960	BECA628C.exe
1960	BECA628C.exe
1960	BECA628C.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
2360	74f6178506322bd3a90e16bb639063c9.exe
688	BECA628C.exe
688	BECA628C.exe
688	BECA628C.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe	upx
behavioral1/memory/2360-24-0x0000000003270000-0x000000000336C000-memory.dmp	upx
behavioral1/memory/2572-35-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2572-141-0x0000000000400000-0x00000000004FC000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

SeFastInstall2_3218.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SeFastInstall2_3218.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SeFastInstall2_3218.exe

Drops file in Program Files directory 3 IoCs

Processes:

74f6178506322bd3a90e16bb639063c9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.knl	74f6178506322bd3a90e16bb639063c9.exe
File created	C:\Program Files (x86)\Internet Explorer\IEXPLOR.EXE	74f6178506322bd3a90e16bb639063c9.exe
File created	C:\Program Files (x86)\WinRAR\WinRAR.knl	74f6178506322bd3a90e16bb639063c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies File Icons 2 IoCs

ransomware

Processes:

74f6178506322bd3a90e16bb639063c9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons	74f6178506322bd3a90e16bb639063c9.exe

Modifies Shortcut Icons 2 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

Processes:

74f6178506322bd3a90e16bb639063c9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\29 = "C:\\Windows\\system32\\shell32.dll,50"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\system32\\shell32.dll,50"	74f6178506322bd3a90e16bb639063c9.exe

Modifies registry class 64 IoCs

Processes:

74f6178506322bd3a90e16bb639063c9.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\ShellFolder\Attributes = "0"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\WinRAR\\winrar.knl\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\DefaultIcon	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\ShellFolder	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\ = "ÔÚÃüÁîÌáÊ¾·ûÖÐ´ò¿ª(&W)"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\ = "±à¼\u00ad(&E)"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\ = "´ò¿ª(&O)"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ = "JScript ÒÑ±àÂëµÄ Script ÎÄ¼þ"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\Shell	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\ = "Intrnet Explerer"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\InfoTip = "Intrnet Explerer"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine\ = "JScript.Encode"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\TypeLib\ = "{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.knl\ = "wfile"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\Shell\Internet Explorer	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\ = "´òÓ¡(&P)"	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\Shell\Internet Explorer\Command	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}\TypeLib	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open	74f6178506322bd3a90e16bb639063c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0B1C9EEB-343E-4BDA-AA7E-9B0F9E4A50A7}	74f6178506322bd3a90e16bb639063c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.knl	74f6178506322bd3a90e16bb639063c9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SeFastInstall2_3218.exe

pid process

2572 SeFastInstall2_3218.exe

pid	process
2572	SeFastInstall2_3218.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

74f6178506322bd3a90e16bb639063c9.exe

description	pid	process	target process
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 3052	2360	74f6178506322bd3a90e16bb639063c9.exe	WScript.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 2572	2360	74f6178506322bd3a90e16bb639063c9.exe	SeFastInstall2_3218.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 3036	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2696	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2760	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1988	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 2288	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 1960	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe
PID 2360 wrote to memory of 688	2360	74f6178506322bd3a90e16bb639063c9.exe	BECA628C.exe

C:\Users\Admin\AppData\Local\Temp\74f6178506322bd3a90e16bb639063c9.exe
"C:\Users\Admin\AppData\Local\Temp\74f6178506322bd3a90e16bb639063c9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies File Icons
- Modifies Shortcut Icons
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WScript.exe
"WScript.exe" "C:\Program Files (x86)\WinRAR\WinRAR.knl"
2⤵
- Modifies registry class
PID:3052

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe
"C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop\Internet Explerer" /P "Admin":F /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explerer ä¯ÀÀÆ÷.lnk" /P "Admin":F /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop" /P "Admin":R /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop" /E /G "Admin":W /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop" /E /G "Admin":C /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop\Internet Explerer.lnk" /d "Admin" /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960

C:\Users\Admin\AppData\Local\Temp\BECA628C.exe
C:\Users\Admin\AppData\Local\Temp\BECA628C.exe "C:\Users\Public\Desktop\Internet Explerer.lnk" /E /G "Admin":R /y
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\WinRAR.knl
Filesize
10KB

MD5
cbb913c3f27f9e77c27132ec9cc25c19

SHA1
dd026204a242c07c391b36b78572f465adbbb0c4

SHA256
9230555aa8c09f81b2af12b03544f1924b283bf1f1a5198dd0137e8de9671767

SHA512
d5ae3d38a412aa7b3f694b398717c36dc61142b9d0952f76b6bda9ceba9b4fd4c235c68fc2d95e4f2e9ced2333b95837483c20d81ad152c4983e212540f4ccd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\version.ini
Filesize
290B

MD5
3129904708fe7e61637eb1905a370a48

SHA1
73467fdf9cd6a6092f1efa7182b3bed3ddb51f7a

SHA256
63231d1014dea3b31baf97921f2fb72a34b714ea0e569c3db1b67410b2a5ea33

SHA512
0838d88606882946a5f2230ec5611dac77031605286f9ea87a7dba9a9f8365f43a1f9e3934e0e21cf02f5c7a7fbdb89d5d96a25821941bf21c8c34a33e06f7e7

Download Submit
C:\Users\Public\Desktop\Internet Explerer.lnk
Filesize
1KB

MD5
65ca7a5721be2508e29b6ca3c41f0924

SHA1
0983876f1fd913114b4a41d480b2bba163de519f

SHA256
d3c70ecba91c330365edd3fdc9051f66e96ae199eda51bf971fec8e5e60eac37

SHA512
2984e8cc433a8eeb953fee163925af40be2a48ded30dd2cd32d340c60cdf6bfdee898e65fd95b87fea2af499c05021dea01370a43eee8f1581c5c873a4176a68

Download Submit
\Users\Admin\AppData\Local\Temp\BECA628C.exe
Filesize
44KB

MD5
78fd41a1e1d2cf1c7657cf80bdde1164

SHA1
acb97223f909ab20dd0b0e655a8869e78b056d2b

SHA256
01259b3cd50d39ca21b03af4e22a7bca2b91cf11ab4ce78661c646f08f6bce00

SHA512
317e4013bdd70cd50d28961581fe7b774116ea83083718c9db921a86adab5c8d2d3a5cdedd9d172ba65b7a3c7b0699aa8546061b995d3f62e10062f568b78077

Download Submit
\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe
Filesize
260KB

MD5
9e9e40dbb092847edc20b6ec81bf69cc

SHA1
fdcbcad31a5126f2d073b3eecc845a8c127f1223

SHA256
f160aa378f189e03b9e7cf1a61d6837f027afeebc773b0b6ec670ac0a6fd242f

SHA512
d6c329b2a43c00097ed38c4b89eabac57503f21a414311189caf602745ff86bc18aad151e72dbd6d02dc78854f73182e2005045ec0cd77c86a045fbfcc6d29fc

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\inetc.dll
Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\md5dll.dll
Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd484.tmp\nsExec.dll
Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
memory/2360-24-0x0000000003270000-0x000000000336C000-memory.dmp

Filesize
1008KB

Download
memory/2572-35-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2572-40-0x0000000000A50000-0x0000000000B4C000-memory.dmp

Filesize
1008KB

Download
memory/2572-141-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download