Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
5ef07ec4f5f42128706936eb0abe9770N.exe
Resource
win7-20240704-en
General
-
Target
5ef07ec4f5f42128706936eb0abe9770N.exe
-
Size
5.7MB
-
MD5
5ef07ec4f5f42128706936eb0abe9770
-
SHA1
8bfbba9ea31ada251b235b26896d14f2badbe940
-
SHA256
1fbbd262a98b6cdd4b29c9bf57688be2ff135925973850cc006d67f2ba1cd711
-
SHA512
207ef5e28e21a18e0547b639038f4c677ef8f647f0ac765030b4caccabfa33f711957b5bc8eef2df1723595afd3f0c21045d205dcdf301ecf4ef607709be17ec
-
SSDEEP
98304:j6Pq7UzmNZbDsmKZZYP49o18frP3wbzWFimaI7dlZ1X6:E6NZbAjgbzWFimaI7dlPX6
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000012283-1.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000a000000012283-1.dat acprotect -
Loads dropped DLL 7 IoCs
pid Process 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 1316 regsvr32.exe 2124 regsvr32.exe 2220 regsvr32.exe 2208 regsvr32.exe 2684 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000a000000012283-1.dat upx behavioral1/memory/2696-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1316-14-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/1316-16-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-18-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-20-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-35-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2208-34-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-27-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2208-37-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2124-31-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2220-29-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2124-28-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2220-39-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2684-41-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-45-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-49-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-53-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2696-58-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ef07ec4f5f42128706936eb0abe9770N.exe /onboot" 5ef07ec4f5f42128706936eb0abe9770N.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: 5ef07ec4f5f42128706936eb0abe9770N.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 5ef07ec4f5f42128706936eb0abe9770N.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\program files\common files\system\symsrv.dll.000 5ef07ec4f5f42128706936eb0abe9770N.exe File created C:\Program Files\Common Files\System\symsrv.dll 5ef07ec4f5f42128706936eb0abe9770N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ef07ec4f5f42128706936eb0abe9770N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "5ef07ec4f5f42128706936eb0abe9770N.exe" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "5ef07ec4f5f42128706936eb0abe9770N.exe" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" 5ef07ec4f5f42128706936eb0abe9770N.exe -
Modifies registry class 19 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "228" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ef07ec4f5f42128706936eb0abe9770N.exe" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node 5ef07ec4f5f42128706936eb0abe9770N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" 5ef07ec4f5f42128706936eb0abe9770N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} 5ef07ec4f5f42128706936eb0abe9770N.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2696 5ef07ec4f5f42128706936eb0abe9770N.exe Token: SeRestorePrivilege 2696 5ef07ec4f5f42128706936eb0abe9770N.exe Token: SeDebugPrivilege 2124 regsvr32.exe Token: SeDebugPrivilege 2684 regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2696 5ef07ec4f5f42128706936eb0abe9770N.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2696 5ef07ec4f5f42128706936eb0abe9770N.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 2696 5ef07ec4f5f42128706936eb0abe9770N.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 1316 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 31 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2124 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 33 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2220 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 34 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2684 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 35 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36 PID 2696 wrote to memory of 2208 2696 5ef07ec4f5f42128706936eb0abe9770N.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef07ec4f5f42128706936eb0abe9770N.exe"C:\Users\Admin\AppData\Local\Temp\5ef07ec4f5f42128706936eb0abe9770N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1316
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1AppInit DLLs
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
5.6MB
MD5d2d40a87cb753e5c433abd5501cee68a
SHA15ace63640bf7a44c9fdceee961b4e1530397c03b
SHA2568a65e1501d75372b81250319e09b3602699f51b145bbce06d9fe3c21babc9edf
SHA5127e0b39b9ae2c57713417d3daa6b20f164690ea9b826da103c0815113c33c2dff80df10f8f652259b31e8113f7d12be4d56af3e424ac61fb2db72bcc061059278