6fdccfbcf36463c0d9212d148dd946d0669e334099fe35b0db00317ab837b7bd

Analysis

max time kernel
145s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/scenic-magicalchristmas-wallpaper.exe
Size

965KB
MD5

aebc5c159cec452d668c4698100ad035
SHA1

556c8223f9409b543cc75d65a6e1c1796ab0da66
SHA256

406eab2062d6b3f9b36014ed9534b93c3c197ad3f6eb9077c61610c85f7312dc
SHA512

b0a6198bcfe13c1c5b3c7bc2134dbd4fafabdfc22871ccd6c784692f606a99759ef4180d17674d1f7cf6c6c6fab36fc61ab87c56b67372066c0d718d552adfcd
SSDEEP

12288:DfGQiNVTgaBhg2Un6XxG5Ld9j7TMRrfTkY025btYEjO0rDDayvP3O06EYCk+mynq:DfEDBaKIFH7TMvbJtXr9fP5kOEdJ/LiA

Score

8^/10

discovery persistence ransomware

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Macromedia Shockwave Flash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	flashax.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "7,0,14,0"	flashax.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	scenic-magicalchristmas-wallpaper.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	flashax.exe

Loads dropped DLL 7 IoCs

pid	Process
2632	flashax.exe
2632	flashax.exe
1996	scenic-magicalchristmas-wallpaper.exe
1996	scenic-magicalchristmas-wallpaper.exe
1996	scenic-magicalchristmas-wallpaper.exe
1996	scenic-magicalchristmas-wallpaper.exe
1996	scenic-magicalchristmas-wallpaper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\Flash\SET43BD.tmp	flashax.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\SET438C.tmp	flashax.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\SET439D.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SET43BD.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\GetFlash.exe.manifest	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SET438C.tmp	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx	flashax.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\SET439D.tmp	flashax.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Scenic- Magical Christmas Wallpaper.html"	scenic-magicalchristmas-wallpaper.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\79_15.swf	scenic-magicalchristmas-wallpaper.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\preview.bmp	scenic-magicalchristmas-wallpaper.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\79_15.swf	scenic-magicalchristmas-wallpaper.exe
File opened for modification	C:\Windows\INF\SET43CD.tmp	flashax.exe
File created	C:\Windows\INF\SET43CD.tmp	flashax.exe
File opened for modification	C:\Windows\INF\swflash.inf	flashax.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper.html	scenic-magicalchristmas-wallpaper.exe
File created	C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\uninstall.exe	scenic-magicalchristmas-wallpaper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scenic-magicalchristmas-wallpaper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe

Modifies Control Panel 7 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Pattern	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Colors\Background = "0 255 255"	scenic-magicalchristmas-wallpaper.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Pattern Upgrade = "TRUE"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\TileWallpaper = "0"	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\WallpaperStyle = "10"	scenic-magicalchristmas-wallpaper.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\Wallpaper	scenic-magicalchristmas-wallpaper.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Desktop\General	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Scenic- Magical Christmas Wallpaper.html"	scenic-magicalchristmas-wallpaper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\Web\\Wallpaper\\Scenic- Magical Christmas Wallpaper.html"	scenic-magicalchristmas-wallpaper.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx, 1"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer\ = "FlashProp.FlashProp.1"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\macromed\\flash\\Flash.ocx"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\0	flashax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	flashax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	flashax.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2632	1996	scenic-magicalchristmas-wallpaper.exe	93
PID 1996 wrote to memory of 2632	1996	scenic-magicalchristmas-wallpaper.exe	93
PID 1996 wrote to memory of 2632	1996	scenic-magicalchristmas-wallpaper.exe	93
PID 2632 wrote to memory of 1676	2632	flashax.exe	96
PID 2632 wrote to memory of 1676	2632	flashax.exe	96
PID 2632 wrote to memory of 1676	2632	flashax.exe	96
PID 1996 wrote to memory of 828	1996	scenic-magicalchristmas-wallpaper.exe	98
PID 1996 wrote to memory of 828	1996	scenic-magicalchristmas-wallpaper.exe	98
PID 1996 wrote to memory of 828	1996	scenic-magicalchristmas-wallpaper.exe	98

C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-magicalchristmas-wallpaper.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-magicalchristmas-wallpaper.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe
  "C:\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe" /Q
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:7008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b00fe49436dced431a0e10b3657e3e32

SHA1
c2adfbeaae60cacf944a7beeb83f9d6350f5098e

SHA256
24bab1448c88531b89000be8eb753627010c79951fa24599a1f09008748bd24c

SHA512
abf0ce4ae9bc808a3ea04ce80f1ae3ba86b8d9b970f59737d20754aeb9620ad113cfc629d5745b54ef6f69a1dbdec7ca374a29a1a897e40cc68edaae68d4dcc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
1110b8b37bbf8b59a4655ae1f4a9e6c9

SHA1
b946753f07a0b63b07758606da39d1ccc48e0ec0

SHA256
28c8955e7b552168f9ccd1c585f2b0aaf478da4e034b6c01dd1744d85b4ce991

SHA512
0905585a1d0eb7d684d75b5ab1f97ea88e5755995ad5bb00344d544d34c7b0131e3e768bc86a01a7a3d8f16a20911cd89a94201c0fe7409c20133480924d1f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
20f7dbc58a81f3bd5f538996e2980b9f

SHA1
7d5d3ee19dc91f8992da10e14da020f642c3a6cb

SHA256
769259a96db26effeb1baddc00bc5ce3041aa16159602b2896ebdc9ed8cf60c0

SHA512
5948d1ab55a1712ef58b0e42c31affc4eeb7c9a6144ac7fa2a0238f0d06e7d984eb806110614dce945ba2248ec30a4991494329844d727d8a5f2bccfba252e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
38KB

MD5
95a08bb436ae708541e095d52b0fde20

SHA1
737d48a3a2fe312785776396292499cf327345db

SHA256
53bc97771a65076b8cf8073ce0ce439a39de28df4b12a8b86c5ee820d25b6c56

SHA512
b052cba6c7a170445b7eae17bff09e9bec6502f397ad628db12654e315ffca671bf559ffa62d5e2a3aac10936720b83f7a990e7124ca3b03ad6e568ea85bca17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Flash.ocx

Filesize
896KB

MD5
b414d4ba7bfb6218ae6b224b46c81d60

SHA1
8282c38c13b477fbb2f3cc2a9d5ab2d4569e47a1

SHA256
94058fe5343d8d76d313998e1db44a0bedd47184b132fa6c3ace021cb665d703

SHA512
daa822502c781ccd6bcdc5a17d8d0b0f3f5a7b729811fb578934b64198a67078ccaff26aa20d3ca068b05e39a45e3f382b49b317bc45d92a2058bc6768049792

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GetFlash.exe

Filesize
92KB

MD5
75ac56f42a1dd2f95a2724e71b16a3b9

SHA1
ad72b164cc14e68c0dc5a781e8168f2e187f2309

SHA256
dd60383e3152fa9a1a9ed154affb36b081c6ae4ac272353b647ed97c4167a295

SHA512
7f673fb05ce9f2929c576e6399849af5d407c0fb5ca3601923ed947e6dde3a1afef84bc7ad98afb8b0f4a650492b918e21edafd2ba0c3c272fc04b8fe798ead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GetFlash.man

Filesize
601B

MD5
bdb09346869b49dbcbad8741941393f6

SHA1
ad2146e2cf5d22037cf8f1e9d5f672f00289f91d

SHA256
613f5a26bdf0da0d2bbbbe24e7945856e70b2887d27a88322d325b15f549d7ca

SHA512
1b72df2951e367a15531120701117e6943924416d2ac30e7b5a8bdb58e2830182f4bb21e7c506e34b57f9537ce9d554eeecbf9d0f3d5b4e14932b92f9648d77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\swflash.inf

Filesize
3KB

MD5
84649efef758bbd23707c3b468731d4e

SHA1
1c7ce3d3577cbb8aabb96763d0c04e0def42e1e7

SHA256
682bb69d52b8703b4cd837571991dfeb203129641b7b91ef8d27346ea3fc71e4

SHA512
21c6603a525259aa62b0950d4a3031392c6d6e1a8bb26ff03ca4d616ffc18391221945d16152d3e191c51d725d5d265f0b002db034231338f0bc3252cb89d061

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWFD1\flashax.exe

Filesize
535KB

MD5
6e233b6151fd3e9858e168eb07896ffa

SHA1
9e854a227b6a93c9d0965067da743fb97e94a518

SHA256
9545fd330c51ae037efe1b24f510459b89b89325b06656a06e79c51734fd882f

SHA512
136b47728307d37b63bdf9e30cc7e0236ee17430375df0bc35f9170a802ad647d9a5ef62ca9b530bbc1bdaea32927660b26e1671562e06c9d729ec4dec2b2516

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWFD1\impborl.dll

Filesize
12KB

MD5
23a38a0f3b5fb112809c339725a9e318

SHA1
165dc2cb79d167b53bd35d42eb9ff33087040a19

SHA256
7f86b2a4d53df100d8572c1615e809c11df9765054e394773b033aed083719ff

SHA512
cb6123279f052ce71a9f985fdaaae7e01be7254f2e35b24530229d27282fad53a2d232f718ad976db1195af2b9bec0485efc8391999115cf39872e3fb0e3bc2b

Download Submit
C:\Windows\Web\Wallpaper\Scenic- Magical Christmas Wallpaper dir\preview.bmp

Filesize
49KB

MD5
7f6ee0ff0f7617fe7a0107821f2468eb

SHA1
ac6adecc3876a7b92dec82885f8fea58f1350d4a

SHA256
099f89abfc5f0895c073c7a08bdd363b9ad982908988582573621d9da1002579

SHA512
a73e9e835f1a7c32022edf5be56085d735cac968e7aafa4ee3f7f8f80676759c297797318b48751717b8d0aed9c2cc61aadf125ade18564d9697550efeedf932

Download Submit
memory/1996-0-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1996-819-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads