Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:05
Behavioral task
behavioral1
Sample
f609255239103210afd42d9f3bc3f530N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f609255239103210afd42d9f3bc3f530N.exe
Resource
win10v2004-20240802-en
General
-
Target
f609255239103210afd42d9f3bc3f530N.exe
-
Size
2.0MB
-
MD5
f609255239103210afd42d9f3bc3f530
-
SHA1
57f8c0d4beecbc157a274a8fbfba3c59e326bcc5
-
SHA256
132c73cbf38ad49574d97500cdd3342721e4bbbe41d9a6b152c8619b95e145ac
-
SHA512
e766814191285485b3c6ba71a1b378e8963ab07914bee6ce4519a13eabd04614c0b53709078fcbae4af66c43b6e497925047a58982335956c55d0e10be521c13
-
SSDEEP
49152:MS0z9Z3sd42vq2gcDsUHKyeTGSOmDLT1aw55zGbBieER4s6CCNfes:/0z3w42C5OscTBtuLRaKJ2AB4s3CNfes
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000120fd-2.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00080000000120fd-2.dat acprotect -
Executes dropped EXE 6 IoCs
pid Process 1648 EasyBCD.exe 2208 bootgrabber.exe 2480 UtfRedirect.exe 2964 UtfRedirect.exe 976 bcdedit.exe 1260 bcdedit.exe -
Loads dropped DLL 5 IoCs
pid Process 2128 f609255239103210afd42d9f3bc3f530N.exe 2008 f609255239103210afd42d9f3bc3f530N.exe 2008 f609255239103210afd42d9f3bc3f530N.exe 2480 UtfRedirect.exe 2964 UtfRedirect.exe -
resource yara_rule behavioral1/files/0x00080000000120fd-2.dat upx behavioral1/memory/2128-0-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2128-4-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2008-102-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2008-103-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2128-133-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2128-135-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2008-194-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2008-541-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-682-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2008-684-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-1012-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-1018-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2008-1021-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-1025-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-1031-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2128-1036-0x0000000010000000-0x0000000010030000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EasyBCD.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: f609255239103210afd42d9f3bc3f530N.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\System\symsrv.dll f609255239103210afd42d9f3bc3f530N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 f609255239103210afd42d9f3bc3f530N.exe File created \??\c:\program files\common files\system\symsrv.dll.000 f609255239103210afd42d9f3bc3f530N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f609255239103210afd42d9f3bc3f530N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f609255239103210afd42d9f3bc3f530N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootgrabber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UtfRedirect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UtfRedirect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdedit.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch EasyBCD.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" EasyBCD.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch msfeedssync.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" msfeedssync.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch msfeedssync.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" msfeedssync.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 EasyBCD.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd EasyBCD.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd EasyBCD.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd EasyBCD.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2128 f609255239103210afd42d9f3bc3f530N.exe 2128 f609255239103210afd42d9f3bc3f530N.exe 2128 f609255239103210afd42d9f3bc3f530N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2128 f609255239103210afd42d9f3bc3f530N.exe Token: SeDebugPrivilege 2008 f609255239103210afd42d9f3bc3f530N.exe Token: SeDebugPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: SeBackupPrivilege 976 bcdedit.exe Token: SeRestorePrivilege 976 bcdedit.exe Token: SeRestorePrivilege 976 bcdedit.exe Token: SeRestorePrivilege 976 bcdedit.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe Token: SeIncBasePriorityPrivilege 1648 EasyBCD.exe Token: 33 1648 EasyBCD.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2008 2128 f609255239103210afd42d9f3bc3f530N.exe 29 PID 2128 wrote to memory of 2008 2128 f609255239103210afd42d9f3bc3f530N.exe 29 PID 2128 wrote to memory of 2008 2128 f609255239103210afd42d9f3bc3f530N.exe 29 PID 2128 wrote to memory of 2008 2128 f609255239103210afd42d9f3bc3f530N.exe 29 PID 2008 wrote to memory of 1648 2008 f609255239103210afd42d9f3bc3f530N.exe 30 PID 2008 wrote to memory of 1648 2008 f609255239103210afd42d9f3bc3f530N.exe 30 PID 2008 wrote to memory of 1648 2008 f609255239103210afd42d9f3bc3f530N.exe 30 PID 2008 wrote to memory of 1648 2008 f609255239103210afd42d9f3bc3f530N.exe 30 PID 1648 wrote to memory of 2968 1648 EasyBCD.exe 32 PID 1648 wrote to memory of 2968 1648 EasyBCD.exe 32 PID 1648 wrote to memory of 2968 1648 EasyBCD.exe 32 PID 1648 wrote to memory of 2208 1648 EasyBCD.exe 34 PID 1648 wrote to memory of 2208 1648 EasyBCD.exe 34 PID 1648 wrote to memory of 2208 1648 EasyBCD.exe 34 PID 1648 wrote to memory of 2208 1648 EasyBCD.exe 34 PID 1648 wrote to memory of 596 1648 EasyBCD.exe 36 PID 1648 wrote to memory of 596 1648 EasyBCD.exe 36 PID 1648 wrote to memory of 596 1648 EasyBCD.exe 36 PID 1648 wrote to memory of 2480 1648 EasyBCD.exe 37 PID 1648 wrote to memory of 2480 1648 EasyBCD.exe 37 PID 1648 wrote to memory of 2480 1648 EasyBCD.exe 37 PID 1648 wrote to memory of 2480 1648 EasyBCD.exe 37 PID 1648 wrote to memory of 2964 1648 EasyBCD.exe 39 PID 1648 wrote to memory of 2964 1648 EasyBCD.exe 39 PID 1648 wrote to memory of 2964 1648 EasyBCD.exe 39 PID 1648 wrote to memory of 2964 1648 EasyBCD.exe 39 PID 2480 wrote to memory of 976 2480 UtfRedirect.exe 41 PID 2480 wrote to memory of 976 2480 UtfRedirect.exe 41 PID 2480 wrote to memory of 976 2480 UtfRedirect.exe 41 PID 2480 wrote to memory of 976 2480 UtfRedirect.exe 41 PID 2964 wrote to memory of 1260 2964 UtfRedirect.exe 42 PID 2964 wrote to memory of 1260 2964 UtfRedirect.exe 42 PID 2964 wrote to memory of 1260 2964 UtfRedirect.exe 42 PID 2964 wrote to memory of 1260 2964 UtfRedirect.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe"C:\Users\Admin\AppData\Local\Temp\f609255239103210afd42d9f3bc3f530N.exe" -sfxwaitall:0 "EasyBCD.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EasyBCD.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\msfeedssync.exe"C:\Windows\System32\msfeedssync.exe" forcesync4⤵
- Modifies Internet Explorer settings
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bootgrabber.exe" /tlist4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Windows\system32\msfeedssync.exemsfeedssync.exe sync4⤵
- Modifies Internet Explorer settings
PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /export "C:\Users\Admin\Documents\EasyBCD 백업 (2024-08-15).bcd"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\UtfRedirect.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\bin\bcdedit.exe" /enum all5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df7e7aa087cd40e96e840f0c668efeb1
SHA155c63124feb24292b96f92c1fe6c1e5b118388e4
SHA2563e0ce3b6084c1813bff46afe05e4a62803d3178f0fb0f391ff62c4214be48327
SHA5122798d494c05b1367db6995ae1ebd898be4aa4e13f9743b8d99f33e0e175065abc9f2326db684558bd54bedc0fad7faec23b4de85cbdb7961447862604f74ec27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5877437e4fa491e2d57c2663330c10b3d
SHA10dd7faa6e52c1c6e09495da9cd46681de9280f07
SHA256d25be21c089fedd326aa1480924974a10b22a1db164ea25eca5fe16553897b8c
SHA51288268dd2e4d50b342871857a5d7ad254f8c49683a8d7138e9a1170b355d2f7535351142c3c9038712b555ce66f1a1450f7c044c28613b4fd830dd0c4ecf1a534
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567a5af3a75186c1d5cb5f8667bd2597b
SHA1698604ab29226d1b1c621d0d3489a4785d85a93e
SHA2561d28e47079f98783115773266e4b53fae4e777b8139abcb261194b3cd18ee518
SHA512ceba15adbe1527b668b30058031c7422d539911c4aa725efd390a3a9e2c9a9d17f285f8666fa589159aff7d1427b1ff8bf45eda0d62a07a75e4375e92a3c2ae8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b40424dde9c18b827f8417180c5d656f
SHA15e3281f3f1ff334789b289441b7803e18ef9362a
SHA256c7294747a3610d0cc0885d2c1cb160b4a67727dc11692115c5942f364cb55ab9
SHA512eb9cb1901e7f49bca8a54249445ccd3185e126f2030d003de24706b93c589e988a2da0ab279e71ce05d9d5c56e4485bab3679527aeabd83897e9552a63ff08ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587f8a7a230fcb02a42367dff956964ca
SHA1de7022087f834d8b74b440713e14cd1024616662
SHA256d8e94cae6819c125f40a549024eacafe3240ec9d811a6e0799cc14a7e289a0f5
SHA5121af3337f2f0e9569f6f7beda22525dbfc03a2b82eaf50156ad1a5009f2c85cd177faaefdc110234feded030ab241989e513977e245f3a7a3ff38294f50b7af3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51cc63c721d6e8e5369d6b9b899c43e86
SHA1e7b452edb7c1e7fe8ec613a7d846a9d70802a4ea
SHA2565058382518f1b05cf88c99abbbcc4cc1100a719e09983809fa9ef71c45389267
SHA51265c8e6f81874438a9869a7079a9f55f2597edffa8bedbd16fede89ff0085088d50b79d11784df3cc35f5500823a5fc92e6a2221f18e1e950a6b383b3431a36c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f8ef98a0609e13bd180e298ebab58cf
SHA17175b9b4d3b2b7f5da6877aacfe554a715e47fc6
SHA2568625b7856961eb0ce4dbc0e38eff1741812e93a52730ca27fab383ba43ff6089
SHA5126a6a20145762f9ff408de55f9a688cbc5799e35e8f46ec3fa7d33f46be7f24a26cc17983a1e5333a9bd77c3c215f5eca4929991f2234b1d0f69b192a27be3b72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3a0f705f9fc7fb48f30cc3765b9b208
SHA1df9a8911738f374c1af65c1a68140496e84ab18d
SHA2568f5d04218b49775d690f5640c03a977a8b3e39588740c4091973437bd0e90a4d
SHA512ddf1b968c885a407853cb32e9365b5cd9b7ab1809c390402a2ca52a2a141a1c516ee770d5d45810dcf114197a8fce5d8d2aef616def919df25f3fb720246c114
-
Filesize
7KB
MD525d1e6bc0ddde8980bc3d397a97fdcb2
SHA155f2dab5a589e17b5ae5e38ee3d485ed0e5be649
SHA256f7ebaa71d0ab66ec6d1f357ef344e968139ccf989cc3959f6a5cd788003d4d7f
SHA512c7512bd9f705c99c4c8fea9401e4f0448745b164104f44ad3fe642cd6e27ec4decdba856beb7c9018b38cc467c9bc802324f0c716ad666bc80ae7c32c25cfb15
-
Filesize
7KB
MD52c93e151c3dd54bb01d2b1148e0eeaf7
SHA18b73b4288aa326c7a5762ca07e82a6cee16909e7
SHA2563bd2c3c8685c77bc5e20a0d191fc2fc8c3546ebf79b9abe61879021b0daa2178
SHA51286b92b780fb79507282ea108227bd689ace1b74266d08afea14a2df890249743ff054e5fbf77c6faafe65fd8964f305d3355c5f04e316f42139bdca27beb0077
-
Filesize
28KB
MD5c1b046950ed234122b7ff1d73ab41488
SHA1c0679eef7f012cf8e2ac0222d95a3dd8d47e2096
SHA256ddb4aa62393d650532eebc4611401bcb867e2f1cba773021246ce5460cda1ebd
SHA5127ff36887ad89a487efde65ca982bf181744b9a97df17a92ff18744627e63b774c7e37018e41d58d602ee89975e25ce67517c3b1eb180c4f5e541906bcfcbe601
-
Filesize
368KB
MD5eee41316c6522cf4ac100dbc732c59a1
SHA1a29324e49f0359a1f3a215200224fd9830651b0e
SHA2567b14f7b39c86b65e36b39b0cfaf8149dc1a63d1f49df6147f4d1c9c0960bccec
SHA5121898c1d5310494eb81a0a39b508ff8bef41a33f5c8513d59422ec6ba7ee85a2029a27138642c363345c9658bd7448b17238c1b79aa2712e9aed18a8a64bd3d4d
-
Filesize
965KB
MD5e478c92160a3c73c77cdc9f515dfd8b0
SHA1f0fa230f8c26bcbddc3b68f38ce0793d46c0ca2b
SHA2566a6e16c176004128b918ef3f9ecf1d51d828e6099fba6542b5ac6abdb67c1030
SHA5123682b4f5bc31cd056c3f552da657309093e35b4757c073a223385c04765f622ce9ee000fb5dbc950c68ad7913ffdcc831ef65bd5ed7241f6179ea375b17be822
-
Filesize
330B
MD53379ac7243adcfa51a02295dbedc956a
SHA1469bbae4b1844832809196c89f198029beef4af8
SHA2567ec2512b59e62a3aeb0a1025bf152a31291e17e7e469ce18efae153064665b03
SHA51208d7101b21b87e11aff79cd8b47ec3ba2878cf72406e4d59771531ce6098609f8340607cd8b9ae0721c56f8fba5927c93f0412f0042879f04f2cd223d82430a4
-
Filesize
183KB
MD52e12b37d32c8bcf8920f5ebb6d24a6b9
SHA17fcd9e4ebfa2c400d6340133440c087e56a3c9e6
SHA256f9842333f0b562b4ab5349a09fc173b0b2971c1f600502c4284781c78a735d7e
SHA512aa82f1ed984174a1b5a610eb28a422da6172dd027678d9d4b7a9714e85e050616403ad294a005ad1ab39032758a4d2fd8d498b1241dedda8c91698ffc7d3c527
-
Filesize
189KB
MD55b40791899fa37507e7c08bc3d9f5294
SHA1cb98852ec22251b5124507427d05b3dfe7ec53a7
SHA2565a87d9485f6e13ee2c3ba4ac289a3e237d17a43ed428b8a5bd5f00fc4800d1ac
SHA512d2c0de00943d7e9961571a8e798688e46a8e7267086e15abaae8abca0fa7aedd02d5df3c5eb3dc6cfab0c5982694129bf5b9c0cb5d8e978fec0d76d54e441390
-
Filesize
1KB
MD5883eb174fb50732863fcb223bb689630
SHA185421afa904951f836275f6d9434970d099b419b
SHA256c837c908319881a9781e454d6a8e6e91606fede069b5c9296ba121dafecf7a79
SHA51210db1a874ff6fb34ec95f3f85c7390905fd1810fecad918f791a3a6b8dde4699c436dc3a3fa07069008d521dad214b44693b5607b13626f85cd16c62d0c1c495
-
Filesize
3KB
MD5219c12bbd4390df75ac7f6adcb5aff3d
SHA1ca05e39b1b60fe53f5a4e2082197df4292618e39
SHA256534a14891db815a7728a8bfd7d683584b39d118a7bca2e5323a3ae5e5e2479f2
SHA512e7b0cc131641ecac16fca753309aa3c7db160baa4fa96f05d1f5f791d9e0050546e9cdf89a1c35ece021b9adfcc88b8b59e83b47c5536c0de838a4655f6cfc25
-
Filesize
329B
MD58500ee43f1b0ea2a47a9637377902a7e
SHA169399c69041561fd018e4c0dd6c50b00a14ca242
SHA2567084593701e3d7f0aceffb6b5d63bec611d103e41850d26ec90b2fd4a7944d98
SHA512966d96e82aed98c90c702f6233e1372c4bc48fcfe8ae6e22324960476607e952b556894e6daba9527cb05244fa3cab1d486eed9c8a5e21dd69b25230b6e48c6a
-
Filesize
1KB
MD51f6859a48903f308639e03ba3284e7f5
SHA1be6cc001a5a4dcd8e04aefcb124889fb51a58a5d
SHA256318667ac37efbc88e9ef7e984e2caec11cc8b16b454c07adcd133784ac123f2e
SHA51241eb5afd8d7aa78298825b25b669016f2695e478f5e57748f0c8d2e0dc4d4de105e74f62b3ff69c4554d16f944e625cd81c43d812c0f86f0b99d5f1a5b74d5c2
-
Filesize
1KB
MD5dd35c3a5a530e2eec685855d2d3a37bb
SHA15fc3a189aaca5df055bb230744e5fbe91ebf8f74
SHA2569be6ef8e6644e87c68718df8f3f3dacfd760d6d8b6d51a4ea84dbdaa6ab68db4
SHA5128b8dc2ce8112439461e0f3c99e6bccc98088bdbcba452152b2356b34e6660709f462238ed0a90e55e58211f9705235c24f820521ee6882fcc8e4a3923d53d190
-
Filesize
21KB
MD5b1c31e3485b654f3687043e4fcc0b53f
SHA1eae95c89e1f0a9485511e5a415fea3757411b193
SHA256a3a4eab70f088585ea57c4f278a848d22757c2b2cfb6d1c53c881b332c02379e
SHA512531146d2681967f884b68ff5167ef6c06b311c6c6ba9649cdb3059794cd082e80d1f414f7de040711179608fb28f3d12fc8c00bbace9fdc38f7b1190a1d676e0
-
Filesize
1KB
MD5ae8bb0e9b6e218a10be54da5899ae3e9
SHA1665b44075d862e91da038501a43c64c3e5fa5f56
SHA256a10925561a251b5e3462f979478147b7e8d4e739d7f38038ff1ca0d516204ec3
SHA5127dd872b115e0122dc837eb21a095597a12366151f9ee7bfc82efc4b4fdd83f5fd8b0ed1f2a4d529c0880f009f52e0012001bfccef66567b5bd25d352ff0cb2e4
-
Filesize
381B
MD5dfc7dd6dd71c4ef40c9beec4b62a8ef4
SHA1a1b4a01a4757ce8a5d8c87444b3b8f71a6634ede
SHA256e5c2e1197b9179f3960b347ccb1b1837148b540f35ba8c2a6550631061a886f6
SHA512a40bf12014d1a251fa55115f81baf6622a3c34b2ffdc1205f1526e5590782af44bd5b601e8e472c0e611a7a2c34b1cfb4db01fc4882d78baa690cc08ae81983e
-
Filesize
1KB
MD58acbb0cb7057a9dce9f9c7505e9797b4
SHA107dcab47155264545641f2e60213775ad2b3a295
SHA256f6851389f78a8b845b903cb42cd23c389368fcdaa9380e8e9573c629c11959ad
SHA512c8cef019b2081b4ab2229a6874be38d35cdccff71973e5d00686eb914b3c5effbbf8397b372eef7b8e8136e5fbc0f8e5e5ba7d4abfc96118a6789ace552f2069
-
Filesize
13KB
MD5c1c82f45c3129dfbed570e515532e2d6
SHA1ccd3fbe9b7716ca344e67242311751af2fce2cbb
SHA2568cce773649c3d42bd0a65f4fe7c64364fe67dac8540ebdf5428b91a348768bf2
SHA512b5291539b48a3cb5ed2d5b6e27e8d6950c729837d9b8640c23926a787fca0ae8e24b14b9340ec08aad8220f88e0e572f411f38e27b980c2aea17f10c5ebd51f4
-
Filesize
2KB
MD59fb4355e9719fe7f36b5e449161382b7
SHA1d98e4ed815676f90c66535f0e3d78d1e9b17ed62
SHA256d51e336d8fd980e4afe130f93cb39c393e5646aaa64b4961975f78cdfca87565
SHA5125718ebc206ead911aecffaaa4328721fc96fa8403f12a573fc8a012151108f59344afc7375240da2f197e90fade3bb642c49f36494ee8d0517b1c20cf7c29d59
-
Filesize
380B
MD5f6d1c497ca3b282fec8cb468e056378a
SHA125e217a29a3345df6dc992b996805ea6b77824be
SHA256373f68416d333cc97dc74a00bab8ada24ed861e621e0dded0edd92dbe3855341
SHA512a45a9d98ed6f04566c4f305ef72e2046a585b4e1c8ab5f0d9865ad00b388b162ec68155f051e4c7b94989abff12208cc9370e096b35216aeedc8089c6487f10e
-
Filesize
840B
MD5684490c4336716dd4148ecf789c26121
SHA13f194d47c8b9185ae96fdbef46e56088f7d3fd8a
SHA2569c65c1b4d2b0078d0a035ed2496978fe25ed9483922ff3f35dc8b077ffc97eee
SHA5127f456d84dc62b279f00870299f60ca1a3d4a2fe84d68db55ec99d3a1ab2b4206551f9702d7df233681e1cb836d778c47141e69717e2871d623245fbcdbddb904
-
Filesize
182B
MD506eaea5b0972b869dc5c643ecbb2fcfe
SHA105e31974657b1d5ba89f0709a009b2b8233ebcf2
SHA256f2b7e9d7e1dafe9335b53e39fd8570968358f4f0a3426012f0a510b1f7fec26d
SHA51238b5cd2f7c762ff922a02389992bb1b77da9fbd6628873e156a152c5d31c46f6ac5e431198624e4d29ba0960b9467e6a8972e826e272c6e655ed1fbdaa88c0f3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
25KB
MD5ad0a59ae87d4ba106e965c62f0bc3d88
SHA15b39b6fd95b5bee72a17d79a1f4958256a5c4149
SHA2563a56005b2efb34620019ef432fe90eeb63726fc78b37be841f25c2aed82eb1db
SHA512562b2cbd3fdbbb71dee9fdb68bd24b9bbf27beab93de338a616baec837910f31ad3b13d75564d45a1cca26e1150517b47d0b3984bae7d08675593bde22bbea98
-
Filesize
472KB
MD50953851089821550ef013b487da3915a
SHA17b4dfb7d547404fb6f3cc561d9475209aa2c6172
SHA2564a56ef352f84ad19c1b4486c7c9e64fef9a67c464c62e51bababa79cd2d89551
SHA5124a41a97527604042e1d28e2869aac1dea79da372ffc7e211415e45e4212a853971731cf4fc9595d81c4f4b824f8e7441c2ad6f2641d053cd783b264c83c29e86
-
Filesize
158KB
MD5a0d0ac258d1dae37796cf329e3a2057c
SHA1a706427da4489ad01d4b56ccba243c1243ee14c7
SHA256d5176fe2c55314c2ede8fbab24d641cbe03ee372c2fb709178b5984baa1bff2b
SHA5124f5cd5bd5f695dfe6229457195bf2126abe3ccb0f08311143dba5b0fac251f0b3602fc62fd86d03a4b1a501e985b40073f4e8f6ff5e58d79ddd7fa28740ed562
-
Filesize
122KB
MD5eb4d6b8cfc5ab065fd9558a880f698fe
SHA17067d2f6e2eb64f7de1a7d88c6e6dcd779243fa7
SHA256fd23026187389972d4712d8d4bafbb05cd138cba42f08c7cc3fb92a757eb6aa4
SHA51266742440641201df6cf0b78a3b5242f33bb02f1258a7472ce5aaa3cd4b01e505d5d3ebafcf47ea0251068120b08ba786424d7de4c5512ceac3b7a4869a74c144
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
317KB
MD5a60cbaea0f8ac802d21c0cc7bc2589be
SHA1f4c1f4b7f340968ba9c360f3fc1ef783a8bc7b2a
SHA2568bf1b71182fed18d6b4112bdc4d496800b5bf6681de4c4f6536ba67378f38a12
SHA51224ab704e214758b9318a333bb3a466a05e4218fbef70752b266d782e5fe89de19db8e5d5a584245fcc6aaf32ea99a0764583b3cc56299e99a2b7cf6ec42c2ccb