Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi
Resource
win10v2004-20240508-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi
-
Size
4.9MB
-
MD5
76cb7942862b8e5ac5c86c7cbab709bd
-
SHA1
0c0631dc78a8add250dd225f67a918f3f9c71524
-
SHA256
3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70
-
SHA512
b9ca576c949f79f123b6cf0d9d3469f47c88ee6f53c9f6e97643fc529ee5a360c95172457b4b2eddb0836baf68d88ffd9a958f8a3cbcca270bcfeb519dc22752
-
SSDEEP
98304:wyclEycl/Y5AbXwNSOgbPJ84mkWQBlVbZ0L8xKpIx0Ttq6zVommY:wyIEyINXwNUJdV9jxK1tqOeQ
Score
7/10
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ieinstal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ieinstal.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZfAdmin84 = "C:\\Users\\Admin\\ZfAdmin84\\ZfAdmin84\\ZfAdmin84.exe" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2092 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Installer\e5745a4.msi msiexec.exe File opened for modification C:\Windows\Installer\e5745a4.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE318.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE376.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4696 ZfAdmin84.exe -
Loads dropped DLL 4 IoCs
pid Process 4696 ZfAdmin84.exe 1720 ieinstal.exe 2092 MsiExec.exe 2092 MsiExec.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2328 4696 WerFault.exe 99 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ieinstal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ieinstal.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion ieinstal.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ieinstal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ieinstal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName ieinstal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ieinstal.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{99E55117-12D4-11EF-92F1-6E6D447F5FDC} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106785" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1849420585" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1849430886" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106785" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000486db9a0dd9f39218e2231132651ea7b0502592105ab92e5c7a8771cb2e1cd39000000000e800000000200002000000002911df637879a82c09b460159d9c8b2613a3dda807a627fcc8873a2ab579585200000005bcb9d6b6f218ad749cee8bab7f328a8143a9c95a4bf76754deea0bff3302cf94000000009209d419d232b7354b5b6a8c1ce87c0baf33e7ba2df92fe190c1d6c8ba863732753fa26086324ed5a2fa66045d47021c27874e6cc58f6db0d3fd372ce7c0ae3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ff266fe1a6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0361f6fe1a6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1851650618" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422553954" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106785" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000eb52bda2ce7f5c5214f18546365c83fd4bf14b732348d83f187a359d4815abb5000000000e80000000020000200000007a76eded8d7d2c3160bb585fe0b4a326f127193bbc3a45a575b3b2dba070104520000000b5f33b15011b2cd20f1ddd73765f93dcdf6176417398bfcc5fa2f342776143f740000000ce444889f93345b1b7a33c651610749050f54c07e73e6e7c1a3b8b797bf474e519a5708dadbb5ed63ac5c7c1a1f28d78bd6f79821dcab1ae25af2f3d1fb36572 iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2520 reg.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe 1720 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeShutdownPrivilege 3708 msiexec.exe Token: SeIncreaseQuotaPrivilege 3708 msiexec.exe Token: SeSecurityPrivilege 1624 msiexec.exe Token: SeCreateTokenPrivilege 3708 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3708 msiexec.exe Token: SeLockMemoryPrivilege 3708 msiexec.exe Token: SeIncreaseQuotaPrivilege 3708 msiexec.exe Token: SeMachineAccountPrivilege 3708 msiexec.exe Token: SeTcbPrivilege 3708 msiexec.exe Token: SeSecurityPrivilege 3708 msiexec.exe Token: SeTakeOwnershipPrivilege 3708 msiexec.exe Token: SeLoadDriverPrivilege 3708 msiexec.exe Token: SeSystemProfilePrivilege 3708 msiexec.exe Token: SeSystemtimePrivilege 3708 msiexec.exe Token: SeProfSingleProcessPrivilege 3708 msiexec.exe Token: SeIncBasePriorityPrivilege 3708 msiexec.exe Token: SeCreatePagefilePrivilege 3708 msiexec.exe Token: SeCreatePermanentPrivilege 3708 msiexec.exe Token: SeBackupPrivilege 3708 msiexec.exe Token: SeRestorePrivilege 3708 msiexec.exe Token: SeShutdownPrivilege 3708 msiexec.exe Token: SeDebugPrivilege 3708 msiexec.exe Token: SeAuditPrivilege 3708 msiexec.exe Token: SeSystemEnvironmentPrivilege 3708 msiexec.exe Token: SeChangeNotifyPrivilege 3708 msiexec.exe Token: SeRemoteShutdownPrivilege 3708 msiexec.exe Token: SeUndockPrivilege 3708 msiexec.exe Token: SeSyncAgentPrivilege 3708 msiexec.exe Token: SeEnableDelegationPrivilege 3708 msiexec.exe Token: SeManageVolumePrivilege 3708 msiexec.exe Token: SeImpersonatePrivilege 3708 msiexec.exe Token: SeCreateGlobalPrivilege 3708 msiexec.exe Token: SeRestorePrivilege 1624 msiexec.exe Token: SeTakeOwnershipPrivilege 1624 msiexec.exe Token: SeRestorePrivilege 1624 msiexec.exe Token: SeTakeOwnershipPrivilege 1624 msiexec.exe Token: SeRestorePrivilege 1624 msiexec.exe Token: SeTakeOwnershipPrivilege 1624 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3708 msiexec.exe 2092 MsiExec.exe 3820 iexplore.exe 3708 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4696 ZfAdmin84.exe 1720 ieinstal.exe 3820 iexplore.exe 3820 iexplore.exe 4324 IEXPLORE.EXE 4324 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2092 1624 msiexec.exe 87 PID 1624 wrote to memory of 2092 1624 msiexec.exe 87 PID 1624 wrote to memory of 2092 1624 msiexec.exe 87 PID 2092 wrote to memory of 2248 2092 MsiExec.exe 91 PID 2092 wrote to memory of 2248 2092 MsiExec.exe 91 PID 2092 wrote to memory of 2248 2092 MsiExec.exe 91 PID 2092 wrote to memory of 1884 2092 MsiExec.exe 93 PID 2092 wrote to memory of 1884 2092 MsiExec.exe 93 PID 2092 wrote to memory of 1884 2092 MsiExec.exe 93 PID 2092 wrote to memory of 8 2092 MsiExec.exe 97 PID 2092 wrote to memory of 8 2092 MsiExec.exe 97 PID 2092 wrote to memory of 8 2092 MsiExec.exe 97 PID 8 wrote to memory of 4696 8 cmd.exe 99 PID 8 wrote to memory of 4696 8 cmd.exe 99 PID 8 wrote to memory of 4696 8 cmd.exe 99 PID 4696 wrote to memory of 1720 4696 ZfAdmin84.exe 100 PID 4696 wrote to memory of 1720 4696 ZfAdmin84.exe 100 PID 4696 wrote to memory of 1720 4696 ZfAdmin84.exe 100 PID 4696 wrote to memory of 1720 4696 ZfAdmin84.exe 100 PID 3820 wrote to memory of 4324 3820 iexplore.exe 108 PID 3820 wrote to memory of 4324 3820 iexplore.exe 108 PID 3820 wrote to memory of 4324 3820 iexplore.exe 108 PID 2092 wrote to memory of 3388 2092 MsiExec.exe 109 PID 2092 wrote to memory of 3388 2092 MsiExec.exe 109 PID 2092 wrote to memory of 3388 2092 MsiExec.exe 109 PID 3388 wrote to memory of 2520 3388 cmd.exe 111 PID 3388 wrote to memory of 2520 3388 cmd.exe 111 PID 3388 wrote to memory of 2520 3388 cmd.exe 111
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d36a85048e6c35edac1fcc9e9a00bc140f18bac364b61cbe43d04ae7d2c1d70.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3708
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B20C42500028064F8228B297FEDB3212⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\ZfAdmin84\3⤵PID:2248
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Users\Admin\ZfAdmin84\ZfAdmin843⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\ZfAdmin84\ZfAdmin84\ZfAdmin84.exe3⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\ZfAdmin84\ZfAdmin84\ZfAdmin84.exeC:\Users\Admin\ZfAdmin84\ZfAdmin84\ZfAdmin84.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files (x86)\Internet Explorer\ieinstal.exe"C:\Program Files (x86)\Internet Explorer\ieinstal.exe"5⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 7005⤵
- Program crash
PID:2328
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ZfAdmin84 /t reg_sz /d "C:\Users\Admin\ZfAdmin84\ZfAdmin84\ZfAdmin84.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ZfAdmin84 /t reg_sz /d "C:\Users\Admin\ZfAdmin84\ZfAdmin84\ZfAdmin84.exe"4⤵
- Adds Run key to start application
- Modifies registry key
PID:2520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4696 -ip 46961⤵PID:3608
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:4228
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
2.2MB
MD5457317d99e4920a96d62adebe5499884
SHA1e42ca0fd9e342e4b471695244ee80786986d674c
SHA2561d2e66f0a8ca2556eb85b3a8d0043d1a8478f8ca6de1b0bd09eab8826a38402c
SHA51238eb3aca7069ae784c3c8df4e86c55c9e3e84503c0120ff47437f496e7675f0b8ce3659671fe1227c4c046323d623e0591843a0c6700f76b89b21f13d3e72aa5
-
Filesize
881KB
MD5af7c3cfa8662bd7eed9ff0fe83c3756d
SHA147ad0bb3adb2c184c10d0f6f9abb90eb7f6ff3ea
SHA256573edfe32df21d9fac6f7948899d4dabfc6f82f0895a82566787f3bc7ad83ab4
SHA512ac3eb29a0442d90bada22045249f96115cef35ceb3b8150752a1da3b781e86d5bd4dc06d77708f61d77e25584369658599ebb89090a56063609c340716888be0
-
Filesize
6.8MB
MD57f46e18551ebdd8aaf8ec95ce3bcd18a
SHA11d94325a74ebb383668c32f7da4fe0b617fbe5ea
SHA256e43cd40a34aae5573f01d0091ce80bcefd33d2d1a139827ec426b185cf79bb18
SHA51283a11298551dfc3a211598a6455effe99b39e95ee76d968f77776f3ba7ac139d0b63913b595eeb6247cc2bf9f2913c2be5ebb513f982d8abac53909923b43dba
-
Filesize
4.3MB
MD573fed86340e83c3b4cd7d656afb3c7d3
SHA1d8712d6b0d1887999e487ad1672a1af240f1e730
SHA25623843b4520a66cef870603a3b5e1781b19a6661a2edb8d9e45653c10d4b1c2c3
SHA51296d74ded90782b9ec07cc2b1042d13395bec57df36820bcdfcfb8aa027ce98a8d8f0c559360d722cba9daabfec67dcd778717d0e3ac4b5d2f7cfeda4e4749a25
-
Filesize
738KB
MD58e65fea37f700d948d1b67afd43b97fc
SHA1823d2b30ec0372e0dc36f7983ad2de1ceda4036c
SHA25620c648a2a4313b1b20da50a9b788d8a1b9637e154adae4541b65badaa40266c9
SHA51207faf03685fde9c71f6bc4b3caecfe4d3c707a8bec5bce1a544f59c1f853edde8f37c019c16bffd3e8fbe5c72c0666ffe0e2dffd878744da64f47e52c7625084