Analysis Overview
score
10/10
SHA256
fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83
Threat Level: Known bad
The file fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Sets service image path in registry
Drops file in Drivers directory
UPX packed file
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
Installs/modifies Browser Helper Object
Modifies WinLogon
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:52
Reported
2024-06-03 05:54
Platform
win7-20240221-en
Max time kernel
141s
Max time network
119s
Command Line
"C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe"
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2164 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2164 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2164 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe
"C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | webbibleschool.org | udp |
| US | 8.8.8.8:53 | getupdate.org | udp |
Files
memory/2164-0-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | d0505efc3608aaef06bb4bf2b57d04ad |
| SHA1 | 351613246059bb4a7c21e9be40248a541ae951a5 |
| SHA256 | 881b61faf2622b98ba66e41895464d27e02238ef13fc7ef19e5299512cdcd585 |
| SHA512 | ec5d7bc5af97fde8db08b96994e9d88393faf0f1b3f110de0c5f6cd0e301238849efb797df3bbf7c1e45056bdeb657c8ba618bb3e1a1147bff257d4f7e1481b8 |
\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/2164-11-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2164-14-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:52
Reported
2024-06-03 05:54
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
"C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe"
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftpdll.dll | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4684 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
| PID 4684 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
| PID 4684 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe | C:\Windows\SysWOW64\reg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe
"C:\Users\Admin\AppData\Local\Temp\fd9dc525ad8fa70067716007d38857fc09d2cf4fbbc446d040672cc7930f0d83.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | webbibleschool.org | udp |
| US | 8.8.8.8:53 | getupdate.org | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/4684-0-0x0000000000400000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\cftmon.exe
| MD5 | ae96580c30b885c00f30d38bbdf07db5 |
| SHA1 | 3176765a0df448bedb6a31f321904a0d4ad2d730 |
| SHA256 | b5ff81f5005445f0b4905bedad504bae418b35a9916d2307c9094fa526e7f9d5 |
| SHA512 | 0fa5ef14257bf3f1f7b01aeeff144ac262b73b89f6c47349dfaa5b4a91376d2cb3704e36cc0e941f0ad259e41542177d57156ef1c853d7fc5d26d69a011c270f |
C:\Windows\SysWOW64\ftpdll.dll
| MD5 | d807aa04480d1d149f7a4cac22984188 |
| SHA1 | ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9 |
| SHA256 | eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb |
| SHA512 | 875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e |
memory/4684-12-0x0000000010000000-0x000000001010B000-memory.dmp
memory/4684-15-0x0000000000400000-0x0000000000411000-memory.dmp