Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 04:11
Static task
static1
Behavioral task
behavioral1
Sample
a49fec56698a9c7603bfc46649f4b660N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a49fec56698a9c7603bfc46649f4b660N.exe
Resource
win10v2004-20240802-en
General
-
Target
a49fec56698a9c7603bfc46649f4b660N.exe
-
Size
1.2MB
-
MD5
a49fec56698a9c7603bfc46649f4b660
-
SHA1
7015feb7583ea07e58e808223d3bcfc7cf152ab3
-
SHA256
9873a13792db67e79bf4a8c7bec3794ddf285089d330cfe7532256963fb64f5f
-
SHA512
004abd263a66b3a05e40850fd1c69825ffabfabb3270eeab6c5c0a8a2dbf53129e416e460c3ad66959fa975442b40e409158e0f74e0920fd8195f818d2eb93c8
-
SSDEEP
24576:FrG5gX9qqY7tl96R7XRe05OkhCOJDLonUc98hJNDpevFDsz5tJrPkMRGJ/qofr:FZtRY73yXReE4m8nR98PVpeszj01qi
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000012117-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0007000000012117-2.dat acprotect -
Drops startup file 1 IoCs
Processes:
E37CC5.EXEdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk E37CC5.EXE -
Executes dropped EXE 1 IoCs
Processes:
E37CC5.EXEpid Process 2844 E37CC5.EXE -
Loads dropped DLL 24 IoCs
Processes:
a49fec56698a9c7603bfc46649f4b660N.exearp.exearp.exearp.exeexplorer.exearp.exearp.exearp.exearp.exearp.exearp.exeE37CC5.EXEpid Process 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2788 arp.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2772 arp.exe 2884 arp.exe 2856 explorer.exe 2760 arp.exe 2544 arp.exe 2664 arp.exe 2556 arp.exe 2620 arp.exe 2768 arp.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE -
Processes:
resource yara_rule behavioral1/files/0x0007000000012117-2.dat upx behavioral1/memory/2112-4-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2788-8-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2788-16-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2884-24-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2772-23-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2760-28-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2664-32-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2544-30-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2556-35-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2768-40-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2620-38-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2112-37-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2856-27-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2772-65-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2884-67-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2664-93-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2844-107-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2856-110-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2544-106-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2760-100-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2768-99-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2556-87-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2620-98-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2112-144-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2844-146-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2844-149-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Processes:
arp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exepid Process 2772 arp.exe 2884 arp.exe 2556 arp.exe 2788 arp.exe 2760 arp.exe 2544 arp.exe 2620 arp.exe 2664 arp.exe 2768 arp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
a49fec56698a9c7603bfc46649f4b660N.exeE37CC5.EXEdescription ioc Process File opened for modification \??\PhysicalDrive0 a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification \??\PhysicalDrive0 E37CC5.EXE -
Drops file in System32 directory 34 IoCs
Processes:
E37CC5.EXEa49fec56698a9c7603bfc46649f4b660N.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\shell.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\internet.fne a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt E37CC5.EXE File opened for modification C:\Windows\SysWOW64\EE37CC a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\C021A2 E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\spec.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\com.run a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\dp1.fne a49fec56698a9c7603bfc46649f4b660N.exe File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\1A2F16 E37CC5.EXE File created C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr a49fec56698a9c7603bfc46649f4b660N.exe File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
a49fec56698a9c7603bfc46649f4b660N.exeE37CC5.EXEdescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll a49fec56698a9c7603bfc46649f4b660N.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 E37CC5.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
arp.exearp.exeexplorer.exearp.exearp.exeE37CC5.EXEa49fec56698a9c7603bfc46649f4b660N.exearp.exearp.exearp.exearp.exearp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a49fec56698a9c7603bfc46649f4b660N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Processes:
E37CC5.EXEexplorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main E37CC5.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TypedURLs E37CC5.EXE -
Modifies registry class 21 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
E37CC5.EXEpid Process 2844 E37CC5.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
a49fec56698a9c7603bfc46649f4b660N.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exeexplorer.exeE37CC5.EXEdescription pid Process Token: SeDebugPrivilege 2112 a49fec56698a9c7603bfc46649f4b660N.exe Token: SeDebugPrivilege 2788 arp.exe Token: SeDebugPrivilege 2772 arp.exe Token: SeDebugPrivilege 2884 arp.exe Token: SeDebugPrivilege 2760 arp.exe Token: SeDebugPrivilege 2544 arp.exe Token: SeDebugPrivilege 2664 arp.exe Token: SeDebugPrivilege 2556 arp.exe Token: SeDebugPrivilege 2768 arp.exe Token: SeDebugPrivilege 2620 arp.exe Token: SeDebugPrivilege 2856 explorer.exe Token: SeDebugPrivilege 2844 E37CC5.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
a49fec56698a9c7603bfc46649f4b660N.exeE37CC5.EXEpid Process 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2112 a49fec56698a9c7603bfc46649f4b660N.exe 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE 2844 E37CC5.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
a49fec56698a9c7603bfc46649f4b660N.exedescription pid Process procid_target PID 2112 wrote to memory of 2788 2112 a49fec56698a9c7603bfc46649f4b660N.exe 30 PID 2112 wrote to memory of 2788 2112 a49fec56698a9c7603bfc46649f4b660N.exe 30 PID 2112 wrote to memory of 2788 2112 a49fec56698a9c7603bfc46649f4b660N.exe 30 PID 2112 wrote to memory of 2788 2112 a49fec56698a9c7603bfc46649f4b660N.exe 30 PID 2112 wrote to memory of 2772 2112 a49fec56698a9c7603bfc46649f4b660N.exe 32 PID 2112 wrote to memory of 2772 2112 a49fec56698a9c7603bfc46649f4b660N.exe 32 PID 2112 wrote to memory of 2772 2112 a49fec56698a9c7603bfc46649f4b660N.exe 32 PID 2112 wrote to memory of 2772 2112 a49fec56698a9c7603bfc46649f4b660N.exe 32 PID 2112 wrote to memory of 2760 2112 a49fec56698a9c7603bfc46649f4b660N.exe 33 PID 2112 wrote to memory of 2760 2112 a49fec56698a9c7603bfc46649f4b660N.exe 33 PID 2112 wrote to memory of 2760 2112 a49fec56698a9c7603bfc46649f4b660N.exe 33 PID 2112 wrote to memory of 2760 2112 a49fec56698a9c7603bfc46649f4b660N.exe 33 PID 2112 wrote to memory of 2884 2112 a49fec56698a9c7603bfc46649f4b660N.exe 35 PID 2112 wrote to memory of 2884 2112 a49fec56698a9c7603bfc46649f4b660N.exe 35 PID 2112 wrote to memory of 2884 2112 a49fec56698a9c7603bfc46649f4b660N.exe 35 PID 2112 wrote to memory of 2884 2112 a49fec56698a9c7603bfc46649f4b660N.exe 35 PID 2112 wrote to memory of 2768 2112 a49fec56698a9c7603bfc46649f4b660N.exe 38 PID 2112 wrote to memory of 2768 2112 a49fec56698a9c7603bfc46649f4b660N.exe 38 PID 2112 wrote to memory of 2768 2112 a49fec56698a9c7603bfc46649f4b660N.exe 38 PID 2112 wrote to memory of 2768 2112 a49fec56698a9c7603bfc46649f4b660N.exe 38 PID 2112 wrote to memory of 2664 2112 a49fec56698a9c7603bfc46649f4b660N.exe 40 PID 2112 wrote to memory of 2664 2112 a49fec56698a9c7603bfc46649f4b660N.exe 40 PID 2112 wrote to memory of 2664 2112 a49fec56698a9c7603bfc46649f4b660N.exe 40 PID 2112 wrote to memory of 2664 2112 a49fec56698a9c7603bfc46649f4b660N.exe 40 PID 2112 wrote to memory of 2544 2112 a49fec56698a9c7603bfc46649f4b660N.exe 41 PID 2112 wrote to memory of 2544 2112 a49fec56698a9c7603bfc46649f4b660N.exe 41 PID 2112 wrote to memory of 2544 2112 a49fec56698a9c7603bfc46649f4b660N.exe 41 PID 2112 wrote to memory of 2544 2112 a49fec56698a9c7603bfc46649f4b660N.exe 41 PID 2112 wrote to memory of 2856 2112 a49fec56698a9c7603bfc46649f4b660N.exe 36 PID 2112 wrote to memory of 2856 2112 a49fec56698a9c7603bfc46649f4b660N.exe 36 PID 2112 wrote to memory of 2856 2112 a49fec56698a9c7603bfc46649f4b660N.exe 36 PID 2112 wrote to memory of 2856 2112 a49fec56698a9c7603bfc46649f4b660N.exe 36 PID 2112 wrote to memory of 2556 2112 a49fec56698a9c7603bfc46649f4b660N.exe 42 PID 2112 wrote to memory of 2556 2112 a49fec56698a9c7603bfc46649f4b660N.exe 42 PID 2112 wrote to memory of 2556 2112 a49fec56698a9c7603bfc46649f4b660N.exe 42 PID 2112 wrote to memory of 2556 2112 a49fec56698a9c7603bfc46649f4b660N.exe 42 PID 2112 wrote to memory of 2620 2112 a49fec56698a9c7603bfc46649f4b660N.exe 45 PID 2112 wrote to memory of 2620 2112 a49fec56698a9c7603bfc46649f4b660N.exe 45 PID 2112 wrote to memory of 2620 2112 a49fec56698a9c7603bfc46649f4b660N.exe 45 PID 2112 wrote to memory of 2620 2112 a49fec56698a9c7603bfc46649f4b660N.exe 45 PID 2112 wrote to memory of 2844 2112 a49fec56698a9c7603bfc46649f4b660N.exe 50 PID 2112 wrote to memory of 2844 2112 a49fec56698a9c7603bfc46649f4b660N.exe 50 PID 2112 wrote to memory of 2844 2112 a49fec56698a9c7603bfc46649f4b660N.exe 50 PID 2112 wrote to memory of 2844 2112 a49fec56698a9c7603bfc46649f4b660N.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 69-6d-c4-04-fc-4a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 d2-5d-78-a7-6a-7a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\arp.exearp -s 49.12.169.208 46-84-07-b1-41-742⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\a49fec56698a9c7603bfc46649f4b660N2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 8e-d7-60-be-ab-442⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 7c-3b-7f-7e-f9-862⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 83-24-0a-04-62-4a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 54-8c-2a-fc-6f-cd2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 50-f6-b5-c9-70-242⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\SysWOW64\9E3B3C\E37CC5.EXEC:\Windows\system32\9E3B3C\E37CC5.EXE2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5e2b86e9a37fe4f85bbf0d08af28690a2
SHA1d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA5126cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082
-
Filesize
56KB
MD5fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1d93676c39ad0181dad70a662c41fc4c280cce848
SHA256bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749
-
Filesize
71KB
MD54fcd7574537cebec8e75b4e646996643
SHA1efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA2568ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA5127f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e
-
Filesize
112KB
MD56d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA109c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA5122fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04
-
Filesize
1.1MB
MD5cf46bb62a1ba559ceb0fad7a5d642f28
SHA180b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA5121f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058
-
Filesize
40KB
MD5d54753e7fc3ea03aec0181447969c0e8
SHA1824e7007b6569ae36f174c146ae1b7242f98f734
SHA256192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f
-
Filesize
260KB
MD5ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063
-
Filesize
312KB
MD5936745bac5c873ab1a91478d27894626
SHA19ed92393f95692339ce03a8f1498f80c727e0555
SHA256edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA51232d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4