Malware Analysis Report

2025-03-15 05:41

Sample ID 240510-zrt4fscd56
Target 485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159
SHA256 485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159
Tags
aspackv2 evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159

Threat Level: Known bad

The file 485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159 was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion persistence

Detects executables packed with ASPack

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Detects executables packed with ASPack

Disables RegEdit via registry modification

Disables cmd.exe use via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

ASPack v2.12-2.42

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 20:57

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 20:57

Reported

2024-05-10 21:00

Platform

win7-20240419-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %windir%\\msdos.pif" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %windir%\\msdos.pif" C:\Windows\SysWOW64\MsFirewall.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\MsFirewall.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MsFirewall.exe N/A
N/A N/A C:\Windows\SysWOW64\MsFirewall.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Windows\SysWOW64\MsFirewall.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Personal Firewall = "C:\\Program Files (x86)\\Common Files\\micros~1\\autoexec.bat" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Runonce C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Personal Firewall = "C:\\Program Files (x86)\\Common Files\\micros~1\\autoexec.bat" C:\Windows\SysWOW64\MsFirewall.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Runonce C:\Windows\SysWOW64\MsFirewall.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MsFirewall.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Windows\SysWOW64\MsFirewall.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened for modification C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\security\javaws.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Explorer.exe C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Antigua C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santiago C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Program Files (x86)\Common Files\micros~1\autoexec.bat C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\micros~1\autoexec.bat C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\trusted.libraries C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Canary C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Explorer.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Program Files (x86)\Common Files\Explorer.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Program Files (x86)\Common Files\Explorer.exe C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msdos.pif C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Windows\msdos.pif C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Windows\msdos.pif C:\Windows\SysWOW64\MsFirewall.exe N/A
File opened for modification C:\Windows\msdos.pif C:\Windows\SysWOW64\MsFirewall.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Windows\SysWOW64\MsFirewall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe
PID 1788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 1788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 1788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 1788 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 2700 wrote to memory of 856 N/A C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 2700 wrote to memory of 856 N/A C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 2700 wrote to memory of 856 N/A C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe
PID 2700 wrote to memory of 856 N/A C:\Windows\SysWOW64\MsFirewall.exe C:\Windows\SysWOW64\MsFirewall.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\MsFirewall.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\MsFirewall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

C:\Windows\SysWOW64\MsFirewall.exe

C:\Windows\system32\MsFirewall.exe

C:\Windows\SysWOW64\MsFirewall.exe

C:\Windows\system32\MsFirewall.exe

Network

N/A

Files

memory/2100-0-0x0000000000400000-0x000000000049D000-memory.dmp

memory/2100-2-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-3-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Windows\msdos.pif

MD5 39ca5287c412729e05f14abe082f454c
SHA1 2655d983a9fa9e26780f43108e59235ba339d9ac
SHA256 a63d7e5c1a3392ddfcb232e3061472c4530e0403d87313cbfd084c0da3738755
SHA512 d8301f9e769e1a97c9163c707eee4dc5594ac660e09b26ff7968164e791905d564ef334f49c5f00448b500eaf412b1108a34da3f4390c42d7a5413e855795795

\Windows\SysWOW64\MsFirewall.exe

MD5 e8f6d874c447260e53ca27da4ee4dff9
SHA1 1d528505429cb580657f4b7200255248539ca3b5
SHA256 cb68d227e71e49fd18a24731af1dbf8319440be3cb5cc88c0860a6d78b6bb0a2
SHA512 0baceb26ec98995cba5c50e0d4fc871ff63dec2fb15cf02cf6a7088011abd856ca79527b6fe8a46b1f400edbbf31f4044ae5232018b57b9882590c57319130a1

memory/2700-34-0x0000000000400000-0x000000000049D000-memory.dmp

memory/2700-37-0x0000000000400000-0x000000000049D000-memory.dmp

F:\autorun.inf

MD5 7cb4fd6531daaa8ee1e0f4d40ec60e55
SHA1 6b31dcec95aadd5d2ac0115b529ed01940c07f94
SHA256 b350f2e5af9f47abf64ad9da2b492382e5095a2d5fcbf6fafcc0259c0ec36865
SHA512 9191231fa799d47f6552ddb736101e14f4afcfe50b49fc7e1771a9913dfe4e18a290e0fba79a9ed9c265181ebd9e193ab1732b50a1e8dc0c23f2383d95dfcc4d

C:\autorun.inf

MD5 d94dbbe30cceec1029ecb618581a8f1f
SHA1 4bc0e3b51142b9be5465a39a47cbe7184b673c38
SHA256 faae8c97008a29130bab840e5d2dad554ff63b1beb70b3162c82d07670e4cecb
SHA512 75a646ab16b11425cd0b96d31be9ff2bdcb49252cb2ed3db07715fd69c589adfa0fe12ac2f4436d0ed673b94c35629834bf21891b25624d9b4030148cb471bab

memory/856-50-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Program Files (x86)\Common Files\Explorer.exe

MD5 df5e41134df15c12d8c99257ae206f55
SHA1 8078b52452495876db9bfe848698350798e2d688
SHA256 7afb8bb41b692ba599297742b8251a123b73375bd6d5ac3109cb525d4e1c5219
SHA512 e8dd2232e7bf450a4edf096e60a3737e07ee2fb91e691f91a6ef392d5afb1ac984c8d27a382453664b570f04f69314a8f15116d5f293a3a6c8bdff9b7ccf1b7f

memory/856-52-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-53-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-54-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-55-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-56-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-57-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-58-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-59-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-60-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-61-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-62-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-63-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-64-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-65-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-66-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1788-67-0x0000000000400000-0x000000000049D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 20:57

Reported

2024-05-10 21:00

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe %windir%\\msdos.pif" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Personal Firewall = "C:\\Program Files (x86)\\Common Files\\micros~1\\autoexec.bat" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Personal Firewall = "C:\\Windows\\system32\\MsFirewall.exe" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MsFirewall.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Windows\SysWOW64\MsFirewall.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Explorer.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Explorer.exe C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\micros~1\autoexec.bat C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File created C:\Program Files (x86)\Common Files\micros~1\autoexec.bat C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msdos.pif C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
File opened for modification C:\Windows\msdos.pif C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\Explorer.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe

"C:\Users\Admin\AppData\Local\Temp\485e1846094d4fa7ca49d9212d3a402929fd74ee6e2332816e73a59c5b964159.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3744-0-0x0000000000400000-0x000000000049D000-memory.dmp

memory/4948-1-0x0000000001F90000-0x0000000001F91000-memory.dmp

C:\Windows\msdos.pif

MD5 d108fff99429ddd7bdddfb4dbc210f2b
SHA1 8753efc359e3831c2be7106a94be8fd2f0f52ab8
SHA256 c1a76099c15884ae89aa57706b23df80b37ef13246d8fae95b53ebe1aababd6e
SHA512 83ab13f41f0f899caddba4d27008bbed363a5efb591733bec4dd3dca68dcd5c5d243007114f230ffdee569c8c59d52d37ab49a568e129133c9779d21f9408aba

memory/4948-21-0x0000000000400000-0x000000000049D000-memory.dmp

memory/4948-35-0x0000000000400000-0x000000000049D000-memory.dmp

memory/4948-68-0x0000000000400000-0x000000000049D000-memory.dmp

memory/4948-149-0x0000000000400000-0x000000000049D000-memory.dmp