Analysis Overview
SHA256
6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0
Threat Level: Known bad
The file 6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Modifies system executable filetype association
Executes dropped EXE
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:07
Reported
2024-04-06 22:10
Platform
win7-20240221-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| File opened for modification | \??\c:\windows\Desktop.ini | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File created | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ieinstal.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\WMPDMC.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmplayer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnscfg.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Sidebar\sidebar.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7z.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zFM.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iexplore.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\firefox.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wab.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpconfig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Journal\PDIALOG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\Uninstall.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ielowutil.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\plugin-container.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Defender\MpCmdRun.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iediagcmd.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wabmig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmlaunch.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpshare.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\pingsender.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpenc.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnetwk.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmprph.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\private_browsing.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Defender\MSASCui.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| File opened for modification | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| File opened for modification | \??\c:\windows\Desktop.ini | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe
"C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe"
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\namg.exe" 6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\namg.exe
| MD5 | e4d66937b89925687b5a52d34dba33fb |
| SHA1 | aae9527f755a6bb1823ef55cee0d9333c6c6faf0 |
| SHA256 | 0db95552849bafc9f28b20d8b267a2881289464bcd337539172ea561a9ffe6dc |
| SHA512 | 652c3688f448b50302a35dea2fe6d725a9411c3c4c1d5c7316cffdabd172b40f86bb6cba1bda0b65d3059cf2d6d30bdcaa3a261aaedf778de6e05876f8b4100d |
\??\c:\windows\SysWOW64\maxtrox.txt
| MD5 | 24865ca220aa1936cbac0a57685217c5 |
| SHA1 | 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83 |
| SHA256 | 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743 |
| SHA512 | c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062 |
\??\c:\windows\SysWOW64\XPs.ini
| MD5 | 9deb008192c430c143014b74e118496a |
| SHA1 | 9bea77324bdcda49be0f35326bb8f39ccb2e1559 |
| SHA256 | 958df7273152cf2534f63f8f3f52afb86fc6d040768d0d5dc4a2e6ab62126563 |
| SHA512 | 94b5d1af87d839189dde43f1a28d7b87b631ae6f397aaa31cfbe4a0d2e7177c76f5fb34fca1080bff30a875017290074bc8246b629498277798e6f4e3f782fb3 |
\??\c:\windows\Desktop.ini
| MD5 | 8052b40f98237069a82665e8e410104a |
| SHA1 | 3036d150d270117154f87834fa3bb06410b6ee47 |
| SHA256 | 107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329 |
| SHA512 | a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631 |
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp
| MD5 | f69529486da875fb08785e720c404c67 |
| SHA1 | 378520aeedc72246ad19882602b61f304a929073 |
| SHA256 | 8a4948d0edc4dffdb4847cf48576377032c450de1a6d731762b016bedc9d613c |
| SHA512 | c386a41e537dd289d86f4129a3851c7b3942b68629d6cb4c186cacc6fc506d592f8c1bb52948b11dcf031a9bf2f9cf16f7cdedfdaa663d38d83c14f2ce582e34 |
\??\c:\windows\SysWOW64\Windows 3D.scr
| MD5 | 47c2b2cae47b9778e57163169e59b0bd |
| SHA1 | 599c47a3a8b490a5da19b3cbdd5e1de1722e1f49 |
| SHA256 | 0287f9fec4fbca5c2ddb825cc76fcc0f5241c0b0aaa5773ee5a82db1e1ab31d9 |
| SHA512 | 020b0ac266161555f8cde18be20f6ebbc0e0c586eefd77d04eca5abe5dea84b96ef31d639d7d06089b62dc169e531f431211401a327533991c5761aee08195a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:07
Reported
2024-04-06 22:10
Platform
win10v2004-20240319-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| File opened for modification | \??\c:\windows\Desktop.ini | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File created | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp" | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpshare.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7z.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iediagcmd.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\pingsender.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\setup_wm.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnscfg.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmlaunch.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnetwk.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wabmig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ieinstal.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\firefox.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\plugin-container.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\private_browsing.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpconfig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmplayer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zFM.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iexplore.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\Uninstall.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ielowutil.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmprph.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\Desktop.ini | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
| File created | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| File opened for modification | \??\c:\windows\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe |
| PID 1720 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe |
| PID 1720 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe
"C:\Users\Admin\AppData\Local\Temp\6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0.exe"
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dsap.exe" 6db98310f4e3c2d7e6cd95e707f5596c900ead79c41f7ad7e01cfeef0e7889a0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| IE | 94.245.104.56:443 | tcp | |
| GB | 172.166.92.12:443 | tcp | |
| GB | 51.140.242.104:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\dsap.exe
| MD5 | e4d66937b89925687b5a52d34dba33fb |
| SHA1 | aae9527f755a6bb1823ef55cee0d9333c6c6faf0 |
| SHA256 | 0db95552849bafc9f28b20d8b267a2881289464bcd337539172ea561a9ffe6dc |
| SHA512 | 652c3688f448b50302a35dea2fe6d725a9411c3c4c1d5c7316cffdabd172b40f86bb6cba1bda0b65d3059cf2d6d30bdcaa3a261aaedf778de6e05876f8b4100d |
\??\c:\windows\SysWOW64\maxtrox.txt
| MD5 | 24865ca220aa1936cbac0a57685217c5 |
| SHA1 | 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83 |
| SHA256 | 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743 |
| SHA512 | c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062 |
\??\c:\windows\SysWOW64\XPs.ini
| MD5 | d91c164d324457e45bd71bca367ea5f1 |
| SHA1 | 5ceb0e1780e34053ba2771d0073df746a5ebb1cd |
| SHA256 | e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421 |
| SHA512 | 6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499 |
\??\c:\windows\Desktop.ini
| MD5 | 8052b40f98237069a82665e8e410104a |
| SHA1 | 3036d150d270117154f87834fa3bb06410b6ee47 |
| SHA256 | 107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329 |
| SHA512 | a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631 |
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp
| MD5 | aafc830ef001429f117a97d3b480872e |
| SHA1 | 9cb767515eade16f71185ffd908b8c708d9d39b0 |
| SHA256 | 149c11ceb318730d26976fc553fcf13512db81adf5a39270a323ea569f897d42 |
| SHA512 | 1e666749ebe20d7f3d37d21a040383e3aaccbd2777a7edf5f127be50d64f13015bc1d55285190684c305d4bc28175f262a8407abbf6cf3476adb38caf068e561 |
\??\c:\windows\SysWOW64\Windows 3D.scr
| MD5 | 47c2b2cae47b9778e57163169e59b0bd |
| SHA1 | 599c47a3a8b490a5da19b3cbdd5e1de1722e1f49 |
| SHA256 | 0287f9fec4fbca5c2ddb825cc76fcc0f5241c0b0aaa5773ee5a82db1e1ab31d9 |
| SHA512 | 020b0ac266161555f8cde18be20f6ebbc0e0c586eefd77d04eca5abe5dea84b96ef31d639d7d06089b62dc169e531f431211401a327533991c5761aee08195a6 |