7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/04/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
Size

1.2MB
MD5

90dadb3e75df9547aa5743575ca0dd36
SHA1

d98780eba073ca35cfb6904deb88e19ba65b5a34
SHA256

7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f
SHA512

c914dcbde55665e97ba00ff1bf2c941f57cfb881bab524855071bd83c310d4cabd4be1981b0443df555100998266a2c0eeb7eeee717fb39543a4da7c328ea45e
SSDEEP

24576:gjFtxhQ1FWTiIskCM0oY4Kq+mLNa4yWYKhD28:gwUOzJoYhuLkXWYF8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 15 IoCs

evasion

pid	Process
2272	taskkill.exe
2852	taskkill.exe
2952	taskkill.exe
2176	taskkill.exe
2840	taskkill.exe
2628	taskkill.exe
2544	taskkill.exe
2856	taskkill.exe
2188	taskkill.exe
2644	taskkill.exe
2008	taskkill.exe
1800	taskkill.exe
2580	taskkill.exe
2652	taskkill.exe
2632	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	Rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	Rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 902b37cdfb94da01	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395168194"	Rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	Rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395168194"	Rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	Rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TypedURLs	Rundll32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2828	reg.exe
2796	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	Rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2008	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	28
PID 1704 wrote to memory of 2008	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	28
PID 1704 wrote to memory of 2008	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	28
PID 1704 wrote to memory of 2008	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	28
PID 1704 wrote to memory of 1800	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	29
PID 1704 wrote to memory of 1800	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	29
PID 1704 wrote to memory of 1800	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	29
PID 1704 wrote to memory of 1800	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	29
PID 1704 wrote to memory of 2176	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	31
PID 1704 wrote to memory of 2176	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	31
PID 1704 wrote to memory of 2176	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	31
PID 1704 wrote to memory of 2176	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	31
PID 1704 wrote to memory of 2188	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	33
PID 1704 wrote to memory of 2188	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	33
PID 1704 wrote to memory of 2188	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	33
PID 1704 wrote to memory of 2188	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	33
PID 1704 wrote to memory of 2840	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	34
PID 1704 wrote to memory of 2840	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	34
PID 1704 wrote to memory of 2840	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	34
PID 1704 wrote to memory of 2840	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	34
PID 1704 wrote to memory of 2580	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	37
PID 1704 wrote to memory of 2580	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	37
PID 1704 wrote to memory of 2580	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	37
PID 1704 wrote to memory of 2580	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	37
PID 1704 wrote to memory of 2628	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	39
PID 1704 wrote to memory of 2628	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	39
PID 1704 wrote to memory of 2628	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	39
PID 1704 wrote to memory of 2628	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	39
PID 1704 wrote to memory of 2644	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	40
PID 1704 wrote to memory of 2644	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	40
PID 1704 wrote to memory of 2644	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	40
PID 1704 wrote to memory of 2644	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	40
PID 1704 wrote to memory of 2652	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	41
PID 1704 wrote to memory of 2652	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	41
PID 1704 wrote to memory of 2652	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	41
PID 1704 wrote to memory of 2652	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	41
PID 1704 wrote to memory of 2632	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	43
PID 1704 wrote to memory of 2632	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	43
PID 1704 wrote to memory of 2632	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	43
PID 1704 wrote to memory of 2632	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	43
PID 1704 wrote to memory of 2544	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	44
PID 1704 wrote to memory of 2544	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	44
PID 1704 wrote to memory of 2544	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	44
PID 1704 wrote to memory of 2544	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	44
PID 1704 wrote to memory of 2856	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	45
PID 1704 wrote to memory of 2856	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	45
PID 1704 wrote to memory of 2856	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	45
PID 1704 wrote to memory of 2856	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	45
PID 1704 wrote to memory of 2272	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	48
PID 1704 wrote to memory of 2272	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	48
PID 1704 wrote to memory of 2272	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	48
PID 1704 wrote to memory of 2272	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	48
PID 1704 wrote to memory of 2852	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	49
PID 1704 wrote to memory of 2852	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	49
PID 1704 wrote to memory of 2852	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	49
PID 1704 wrote to memory of 2852	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	49
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2732	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	51
PID 1704 wrote to memory of 2796	1704	7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe	57

C:\Users\Admin\AppData\Local\Temp\7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe
"C:\Users\Admin\AppData\Local\Temp\7fc5206a27de6c86a93f6a6d3918af0c7b850647efa8b279600c67f5b3b34e0f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_BE.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_UC.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im TslGame_ZK.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ExecPubg.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BEService.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BEService_x64.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im BroCrashReporter.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ucldr_battlegrounds_gl.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im reporter.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im wscript.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im iigw_server.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im Fondue.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im zksvc.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 InetCpl.cpl,ClearMyTracksByProcess 255
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:2732
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg delete HKLM\SYSTEM\CurrentControlSet\Services\eamonm /f
  2⤵
  - Modifies registry key
  PID:2796
- C:\Windows\SysWOW64\reg.exe
  reg delete HKLM\SYSTEM\CurrentControlSet\Services\edevmon /f
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\SysWOW64\net.exe
  net stop BEService
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BEService
    3⤵
    PID:1680
- C:\Windows\SysWOW64\net.exe
  net stop BEDaisy
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BEDaisy
    3⤵
    PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360chrome.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads