42fcf328d1c4c8d00fabe339983efeab42fb5bae06a52c4583ab0df8573efdda

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 20:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

egifan7.exe
Size

23.1MB
MD5

b0a82f7a9aa62c3919fb5c0bfb47deeb
SHA1

f7aff3685134fd68893a6541e3f850ca7a398dd5
SHA256

42fcf328d1c4c8d00fabe339983efeab42fb5bae06a52c4583ab0df8573efdda
SHA512

e7f274318a88fdb5efe89c9918c835ca2ebef53fe6ce0d72f7c1bb50a4c180f484ead2350618f6d2b9ad2821b80b8874a3dab7a563f9bec54ed83a1ef37b7e2d
SSDEEP

393216:f/nir8+5ZtPL1ko9OqEV8KGaXnby6TdWM6M6evmovhDkxT1BrPAeGNqqd77pRMk8:Hnir8w/D13hY+aXuxZM6eOWkZLrPGNBO

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-CKRIU.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\libav\is-0B64L.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-A0HHR.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-3DMJQ.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-UBQV7.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-8RJVN.tmp	egifan7.tmp
File opened for modification	C:\Program Files (x86)\Easy GIF Animator\libeay32.dll	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-3LCC5.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-RKOPV.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-M03PV.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-NFQGE.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-MT6N1.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-V9QQA.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-VQ19H.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\libav\is-3PG75.tmp	egifan7.tmp
File opened for modification	C:\Program Files (x86)\Easy GIF Animator\libav\swresample-0.dll	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\is-BEH9Q.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-F2FF3.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-Q3BSC.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-TF8JV.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-56EE2.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-F0EV7.tmp	egifan7.tmp
File opened for modification	C:\Program Files (x86)\Easy GIF Animator\libav\swscale-2.dll	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\is-QJCK4.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\buttons\is-8D5OI.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\buttons\is-QVVP3.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\search\is-4QRJD.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-D9U2D.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-3VNG8.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-872RC.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\is-ON38S.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\buttons\is-DN1B1.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\buttons\is-N8FD7.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-JAATO.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-VM8TL.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-F2F3F.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-QB7II.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\search\is-65KBP.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-ALAB0.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\libav\is-1RL7U.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\lang\is-9N3PC.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-7FGT8.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-R4GN4.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-0RP7I.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-D5RJK.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-94PK1.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\data\buttons\is-UR98R.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-TOTGG.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-5T699.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\buttons\is-LDS6E.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\data\is-FO2N3.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-28UAN.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-KI59N.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-N73GI.tmp	egifan7.tmp
File opened for modification	C:\Program Files (x86)\Easy GIF Animator\libav\avutil-51.dll	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-03OGC.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-V5V4F.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-0SBHN.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Icon2u\is-8GU5N.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\data\buttons\is-AOHEJ.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\data\buttons\is-QBCKB.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-VLCTD.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-3F9CS.tmp	egifan7.tmp
File created	C:\Program Files (x86)\Easy GIF Animator\clipart\icons\PixelMixer\is-5JROE.tmp	egifan7.tmp

Executes dropped EXE 2 IoCs

pid	Process
2388	egifan7.tmp
1300	gifan.exe

Loads dropped DLL 7 IoCs

pid	Process
1144	egifan7.exe
2388	egifan7.tmp
2388	egifan7.tmp
2388	egifan7.tmp
2388	egifan7.tmp
1300	gifan.exe
1300	gifan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gifan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egifan7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egifan7.tmp

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\gifan.exe = "10000"	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\gifan.exe = "1"	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\	gifan.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	gifan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	gifan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	gifan.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	gifan.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	gifan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	gifan.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2388	egifan7.tmp
2388	egifan7.tmp
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1300	gifan.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2388	egifan7.tmp
2388	egifan7.tmp
2388	egifan7.tmp
1300	gifan.exe
1300	gifan.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe
1300	gifan.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 1144 wrote to memory of 2388	1144	egifan7.exe	30
PID 2388 wrote to memory of 1300	2388	egifan7.tmp	33
PID 2388 wrote to memory of 1300	2388	egifan7.tmp	33
PID 2388 wrote to memory of 1300	2388	egifan7.tmp	33
PID 2388 wrote to memory of 1300	2388	egifan7.tmp	33

C:\Users\Admin\AppData\Local\Temp\egifan7.exe
"C:\Users\Admin\AppData\Local\Temp\egifan7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\is-SL35A.tmp\egifan7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SL35A.tmp\egifan7.tmp" /SL5="$30144,23966205,57856,C:\Users\Admin\AppData\Local\Temp\egifan7.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files (x86)\Easy GIF Animator\gifan.exe
    "C:\Program Files (x86)\Easy GIF Animator\gifan.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Easy GIF Animator\clipart\icons\Crystal\is-94PK1.tmp

Filesize
80KB

MD5
0a270f1e654bb75bd8ee8b627084889f

SHA1
539d9d5ff1953b96691dd42fb0fada404f204ab3

SHA256
d90680f592c60e25f224caf77a0784560fc665460acf3963d624f2c363793393

SHA512
1a3106aaadc1d8090f5014b7f354308353b16a31ecf13735c83e9143a55719fc6348c3f4aa44abd4ebda92091c1b6f72aa46fc5a1008104a9f26dfc1a0ed2715

Download Submit
C:\Program Files (x86)\Easy GIF Animator\lang\Languages.sib

Filesize
399KB

MD5
0ddda865b0c0f471123f07a78e5ae878

SHA1
6a75f562cebc1a53f22b260ddb6512329d780444

SHA256
bae99a87d86800a8fd976a81b0e78a3cc654b99dbd341b924e182179d9fef96f

SHA512
d93a82427d6555f562a865d2684d3c678fbd32b673343f2ae1d1321625af631cf908a1c5020f93e028f2fb130395751c7733b0dc500c2c7149364c2798eb494c

Download Submit
\Program Files (x86)\Easy GIF Animator\gifan.exe

Filesize
35.6MB

MD5
7c13002066ac3b2d836d9c635d82a2af

SHA1
d370602d619b40ec602f6c5f34cdc1b5f1895f21

SHA256
0996d6617139ae70bb50c18133429c8837c10c503245885576c286ec21526042

SHA512
21cb333f65e3753bb7b10aaaab8b623b0456ad0215254f783f30c6ce46d9a52f2db32225d561b19d14aeb9e2156e5d458c8da0d7ba6f8e420d17eb5fe92aca78

Download Submit
\Program Files (x86)\Easy GIF Animator\libeay32.dll

Filesize
1.3MB

MD5
075b70241383faefb0fe44d07090eaf0

SHA1
ba59b7df027bfc04f3add8c08bc408a927acc32a

SHA256
e886954dda4cecdf16fdf8c45d5062692c2051dac2b0f4a8e288480ff9b99b61

SHA512
aade3d10d2d956f5f1742695f01f969d8476cae078d4caacb20f6e63ccdee6c14f5e8c5a5ffbee63f23d1deff3db24b414a445b88e8c73038d7e7a66dcce9c95

Download Submit
\Program Files (x86)\Easy GIF Animator\ssleay32.dll

Filesize
329KB

MD5
1eb4662d9344702823efccf6d071f5ad

SHA1
89cfd8e7905455f2d2c800e969a0658f935ff937

SHA256
c4dbed05760a52833d8d714686ee48efbec44b182d354a9ae8942768a9a19cd2

SHA512
a565270d76a3062467cf024f7143bf85456980b170e982082646a8c8365f62ab4120b742f409f253e99443ff0bd7e322312dcfc6dc100849179c64306db2feb2

Download Submit
\Program Files (x86)\Easy GIF Animator\unins000.exe

Filesize
708KB

MD5
d9eccbd6ea6f446e71f8450689710ca4

SHA1
c3159d1ead044fea09aa66baf2ce3061d2c4b121

SHA256
1b3be8c4bf66724cbb9e7e93470a440eb4b8c0ba564ea323ebb0381ef3f16945

SHA512
3d396a574825789e88dde7da72c63f627656b12d1db3d5b87206b3758eda61a398c92429324b3b21b3c14b3abb2ae8cf571f90790b372f54431b89f1eec6a528

Download Submit
\Users\Admin\AppData\Local\Temp\is-SL35A.tmp\egifan7.tmp

Filesize
697KB

MD5
832dab307e54aa08f4b6cdd9b9720361

SHA1
ebd007fb7482040ecf34339e4bf917209c1018df

SHA256
cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3

SHA512
358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49

Download Submit
memory/1144-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1144-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/1144-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1144-471-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1300-477-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-472-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-478-0x000000000A450000-0x000000000A452000-memory.dmp

Filesize
8KB

Download
memory/1300-479-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-480-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-481-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-482-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/1300-483-0x0000000000400000-0x0000000002D53000-memory.dmp

Filesize
41.3MB

Download
memory/2388-470-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2388-12-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2388-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download