2c341e9ae196b1bcb137a43be29251e93561f9d578b08d2863529585039e885b

General

Target

flashplayer.exe
Size

15.3MB
MD5

a8a8c089a6a8583b24c85f5a4a41f5ac
SHA1

798c755fab62d9fc7019bd195026195d0d339a38
SHA256

b6ba115c2b43d87aaddf0060c44726e7af1a12c9501fc63de652a9517d7367db
SHA512

1636318338ae3eeb2d194e62463b279f9ff86e22e119ac6bb134d8ec958a69930815b6f84b9019342b62c470020465d3288bb592676318902e6cb765029d2f2f
SSDEEP

393216:e+VtcTsNLwevhv3aDtxf0mAPXXprADug+js0+oEbiNO0TNPRU70hlz:e4tcCLwevhHPXXprADuO8PRUQht

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flashplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	flashplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	flashplayer.exe

Modifies registry class 43 IoCs

Processes:

flashplayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-202"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p\ = "FlashPlayer.ProtectedMediaForFlashPlayer"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a\ = "FlashPlayer.AudioForFlashPlayer"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-203"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\DefaultIcon	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-204"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-205"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4p	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\shell	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f4a	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.ProtectedMediaForFlashPlayer\shell	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe,-608"	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\shell\open\command	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.FlashVideo\shell	flashplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.VideoForFlashPlayer\DefaultIcon	flashplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashPlayer.AudioForFlashPlayer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\flashplayer.exe\" %1"	flashplayer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

flashplayer.exe

pid process

2572 flashplayer.exe
2572 flashplayer.exe

pid	process
2572	flashplayer.exe
2572	flashplayer.exe

C:\Users\Admin\AppData\Local\Temp\flashplayer.exe
"C:\Users\Admin\AppData\Local\Temp\flashplayer.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-0-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing