6fdccfbcf36463c0d9212d148dd946d0669e334099fe35b0db00317ab837b7bd

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/scenic-magicalchristmas-wallpaper.exe
Size

965KB
MD5

aebc5c159cec452d668c4698100ad035
SHA1

556c8223f9409b543cc75d65a6e1c1796ab0da66
SHA256

406eab2062d6b3f9b36014ed9534b93c3c197ad3f6eb9077c61610c85f7312dc
SHA512

b0a6198bcfe13c1c5b3c7bc2134dbd4fafabdfc22871ccd6c784692f606a99759ef4180d17674d1f7cf6c6c6fab36fc61ab87c56b67372066c0d718d552adfcd
SSDEEP

12288:DfGQiNVTgaBhg2Un6XxG5Ld9j7TMRrfTkY025btYEjO0rDDayvP3O06EYCk+mynq:DfEDBaKIFH7TMvbJtXr9fP5kOEdJ/LiA

Score

8^/10

discovery persistence ransomware

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Macromedia Shockwave Flash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	flashax.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "7,0,14,0"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	flashax.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	flashax.exe

Loads dropped DLL 10 IoCs

pid	Process
328	scenic-magicalchristmas-wallpaper.exe
328	scenic-magicalchristmas-wallpaper.exe
2116	flashax.exe
2116	flashax.exe
2116	flashax.exe
2116	flashax.exe
2116	flashax.exe
328	scenic-magicalchristmas-wallpaper.exe
328	scenic-magicalchristmas-wallpaper.exe
328	scenic-magicalchristmas-wallpaper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SETB56B.tmp	flashax.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\SETB56B.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe	flashax.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\SETB58B.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SETB56A.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SETB58B.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe.manifest	flashax.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\SETB56A.tmp	flashax.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Wallpaper	scenic-magicalchristmas-wallpaper.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	flashax.exe
File created	C:\Windows\INF\SETB58C.tmp	flashax.exe
File opened for modification	C:\Windows\INF\swflash.inf	flashax.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper.html	scenic-magicalchristmas-wallpaper.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\uninstall.exe	scenic-magicalchristmas-wallpaper.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\79_15.swf	scenic-magicalchristmas-wallpaper.exe
File opened for modification	C:\Windows\INF\SETB58C.tmp	flashax.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\preview.bmp	scenic-magicalchristmas-wallpaper.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\79_15.swf	scenic-magicalchristmas-wallpaper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scenic-magicalchristmas-wallpaper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\TileWallpaper = "0"	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\WallpaperStyle = "10"	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\Pattern	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Colors\Background = "0 255 255"	scenic-magicalchristmas-wallpaper.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Desktop\General	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Scenic- Magical Christmas Wallpaper.html"	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper	scenic-magicalchristmas-wallpaper.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	flashax.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx, 1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx, 1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	flashax.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe
Token: SeRestorePrivilege	2116	flashax.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 328 wrote to memory of 2116	328	scenic-magicalchristmas-wallpaper.exe	30
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 2116 wrote to memory of 2780	2116	flashax.exe	31
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32
PID 328 wrote to memory of 1492	328	scenic-magicalchristmas-wallpaper.exe	32

C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-magicalchristmas-wallpaper.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-magicalchristmas-wallpaper.exe"
1⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe
  "C:\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe" /Q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
71bce148946dbcf568286324c42c346a

SHA1
a77c63f96f166b1f0231778dbcf7f3a92afd66cd

SHA256
d4e0d8ec39a8d09ff1dd1e53bdeff768f23b84bf4a113de1225137d5aee1be62

SHA512
add7dfa3c4c66983fc15cd16a15ddd837fa94e4f621519d1872d722790f47aaf2e9159ca82b2ef68ce989e30fb98bc534cf3a97f6695e316269e89d0d8d86d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
71b2d6ab7160971c62fe3ce07e4a42ac

SHA1
6dc69126deba0c8e77245f7e8b7db95f5141ace8

SHA256
459e7327108bdf82278e6b19d145fbe2c49a69700a658d9a48e62fd63be1af6d

SHA512
11469f335db0cbd7b335d4bffcc74cf8c740d06dcbde0c2e843b4160323305f3962ab7904e3f6c327378a8a2edb3fa91ccb70d6df96db1c0afcf9b16fb13df66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
a7e3dcf1cb86578ca76f58df3d479d21

SHA1
199ee0135793da514f2fcf7f8d7816e164aa99f2

SHA256
729e8002a237355a53f91b4dbce5e362fa5747ffee47d0f9ae8ba754936c2953

SHA512
5753780a596e9031ccc4bbf3203a49e188d3b08dc4f7b31635e52d359335c346ba18297f7966f2c62470544df18759d6575180219759028ef802c02d2c69c151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
6683bd02f39d692846ad56222e7d9c68

SHA1
3137fd253e311c4fb2a2cbcf4b3a4dc549804bdf

SHA256
60e31290d12ab2bdb8a841aaaf22d54e14159f47a4c7abf3e30f91dd81a21fcd

SHA512
743f7ac42655569cc8679b8141af753e14f0f868065c74bd743274bda6be10fd8b238ff0a1c26b079c9a8adeaf1cabef74b6918c77778eac3f8dc7fa1f3ee014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flash.ocx

Filesize
896KB

MD5
b414d4ba7bfb6218ae6b224b46c81d60

SHA1
8282c38c13b477fbb2f3cc2a9d5ab2d4569e47a1

SHA256
94058fe5343d8d76d313998e1db44a0bedd47184b132fa6c3ace021cb665d703

SHA512
daa822502c781ccd6bcdc5a17d8d0b0f3f5a7b729811fb578934b64198a67078ccaff26aa20d3ca068b05e39a45e3f382b49b317bc45d92a2058bc6768049792

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GetFlash.exe

Filesize
92KB

MD5
75ac56f42a1dd2f95a2724e71b16a3b9

SHA1
ad72b164cc14e68c0dc5a781e8168f2e187f2309

SHA256
dd60383e3152fa9a1a9ed154affb36b081c6ae4ac272353b647ed97c4167a295

SHA512
7f673fb05ce9f2929c576e6399849af5d407c0fb5ca3601923ed947e6dde3a1afef84bc7ad98afb8b0f4a650492b918e21edafd2ba0c3c272fc04b8fe798ead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GetFlash.man

Filesize
601B

MD5
bdb09346869b49dbcbad8741941393f6

SHA1
ad2146e2cf5d22037cf8f1e9d5f672f00289f91d

SHA256
613f5a26bdf0da0d2bbbbe24e7945856e70b2887d27a88322d325b15f549d7ca

SHA512
1b72df2951e367a15531120701117e6943924416d2ac30e7b5a8bdb58e2830182f4bb21e7c506e34b57f9537ce9d554eeecbf9d0f3d5b4e14932b92f9648d77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swflash.inf

Filesize
3KB

MD5
84649efef758bbd23707c3b468731d4e

SHA1
1c7ce3d3577cbb8aabb96763d0c04e0def42e1e7

SHA256
682bb69d52b8703b4cd837571991dfeb203129641b7b91ef8d27346ea3fc71e4

SHA512
21c6603a525259aa62b0950d4a3031392c6d6e1a8bb26ff03ca4d616ffc18391221945d16152d3e191c51d725d5d265f0b002db034231338f0bc3252cb89d061

Download Submit
C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\preview.bmp

Filesize
49KB

MD5
7f6ee0ff0f7617fe7a0107821f2468eb

SHA1
ac6adecc3876a7b92dec82885f8fea58f1350d4a

SHA256
099f89abfc5f0895c073c7a08bdd363b9ad982908988582573621d9da1002579

SHA512
a73e9e835f1a7c32022edf5be56085d735cac968e7aafa4ee3f7f8f80676759c297797318b48751717b8d0aed9c2cc61aadf125ade18564d9697550efeedf932

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
38KB

MD5
95a08bb436ae708541e095d52b0fde20

SHA1
737d48a3a2fe312785776396292499cf327345db

SHA256
53bc97771a65076b8cf8073ce0ce439a39de28df4b12a8b86c5ee820d25b6c56

SHA512
b052cba6c7a170445b7eae17bff09e9bec6502f397ad628db12654e315ffca671bf559ffa62d5e2a3aac10936720b83f7a990e7124ca3b03ad6e568ea85bca17

Download Submit
\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe

Filesize
535KB

MD5
6e233b6151fd3e9858e168eb07896ffa

SHA1
9e854a227b6a93c9d0965067da743fb97e94a518

SHA256
9545fd330c51ae037efe1b24f510459b89b89325b06656a06e79c51734fd882f

SHA512
136b47728307d37b63bdf9e30cc7e0236ee17430375df0bc35f9170a802ad647d9a5ef62ca9b530bbc1bdaea32927660b26e1671562e06c9d729ec4dec2b2516

Download Submit
\Users\Admin\AppData\Local\Temp\SWFD1\impborl.dll

Filesize
12KB

MD5
23a38a0f3b5fb112809c339725a9e318

SHA1
165dc2cb79d167b53bd35d42eb9ff33087040a19

SHA256
7f86b2a4d53df100d8572c1615e809c11df9765054e394773b033aed083719ff

SHA512
cb6123279f052ce71a9f985fdaaae7e01be7254f2e35b24530229d27282fad53a2d232f718ad976db1195af2b9bec0485efc8391999115cf39872e3fb0e3bc2b

Download Submit
memory/328-775-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads