Analysis Overview
SHA256
2ba0c79ae23070dbc2e0c54184d76aab5dae7707fbb1920aaca0357225f07001
Threat Level: Known bad
The file 8ab40474d3eaafcf734e9528c5dd61a9 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in Drivers directory
Sets service image path in registry
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Installs/modifies Browser Helper Object
Modifies WinLogon
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 22:33
Reported
2024-02-02 22:36
Platform
win7-20231215-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
"C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe"
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 3.18.7.81:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | www.hugedomains.com | udp |
| US | 104.26.6.37:443 | www.hugedomains.com | tcp |
Files
memory/2128-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2480-1-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2128-2-0x00000000021F0000-0x0000000002213000-memory.dmp
memory/1036-3-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | 9a8f04813d35f01b5e692e21e81a3fc8 |
| SHA1 | 1cfa6149cc42437e5a4780aa8e228b2dd362ed03 |
| SHA256 | ba83f633f5b17c7a19cea30b1325ad7a64fc0285d6274cd0fb00113fe1bdf711 |
| SHA512 | 291c070d23998fb845f3c10e1ea7f9d39c2198f6514b45f5b993fbc3e0db555295331ac2c96dcfd0c6cc3c5160384a4ee981bc035d4bc124448fdd93351f6e42 |
C:\Users\Admin\AppData\Local\Temp\Cab1D24.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar1D36.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/2128-39-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2128-51-0x00000000021F0000-0x0000000002213000-memory.dmp
memory/2128-50-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2128-49-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2480-52-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2692-53-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2480-54-0x00000000002B0000-0x00000000002D3000-memory.dmp
memory/1036-55-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 22:33
Reported
2024-02-02 22:36
Platform
win10v2004-20231215-en
Max time kernel
160s
Max time network
165s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
"C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe"
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
C:\Users\Admin\AppData\Local\Temp\8ab40474d3eaafcf734e9528c5dd61a9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fewfwe.com | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 34.205.242.146:80 | fewfwe.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.242.205.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/1504-0-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | 6f36d910bce3bce06ac4f9bcd96034c3 |
| SHA1 | 5592e1f1fd264ae6d0d778af5be65b9fc6f6ddb1 |
| SHA256 | 0688264563ad37ee5bb8f1158952deb6e0595ee70cd6cb49124ee62a916f588f |
| SHA512 | 5757a793001fd75b65f0659a07b63fb458467df034ac06ccfde8adb3470e8755d9df6d43ff0290659a8e107b4744848517cd35b9e0288c2ac3b9a5da08a3724a |
memory/4476-9-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/1504-13-0x0000000010000000-0x000000001010B000-memory.dmp
memory/1504-14-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1504-15-0x0000000010000000-0x000000001010B000-memory.dmp
memory/1504-16-0x0000000010000000-0x000000001010B000-memory.dmp
memory/1504-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4288-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4476-19-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3824-20-0x0000000000400000-0x0000000000423000-memory.dmp