Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
b1abf4371741cd524184b57a83bd79d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b1abf4371741cd524184b57a83bd79d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
b1abf4371741cd524184b57a83bd79d0N.exe
-
Size
1.2MB
-
MD5
b1abf4371741cd524184b57a83bd79d0
-
SHA1
b03cf124a8a2449673b1dae23cfe872ac60512f3
-
SHA256
bd9681b94c7678dc0d26814705ec565b03d73ff301f82267a495161ff36f8e55
-
SHA512
1a2b1eb53cdf910509cf4f4e392428f3afdef3bfcc69aa44ef5235e91725636ef23ca38ab0fda17ad6a4bfe1573deac8f7bc438d9fe6cadd57691af2287d3f44
-
SSDEEP
24576:RrG5gX9qqY7tl96R7XRe05OkhCOJDLonUc98hJNDpevFDsz5tJrPkMRGJ/qofN:RZtRY73yXReE4m8nR98PVpeszj01qg
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0005000000010300-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0005000000010300-2.dat acprotect -
Drops startup file 1 IoCs
Processes:
E37CC5.EXEdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk E37CC5.EXE -
Executes dropped EXE 1 IoCs
Processes:
E37CC5.EXEpid Process 2768 E37CC5.EXE -
Loads dropped DLL 24 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exearp.exeexplorer.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exeE37CC5.EXEpid Process 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2848 arp.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2732 explorer.exe 2604 arp.exe 2772 arp.exe 2872 arp.exe 2756 arp.exe 2764 arp.exe 2684 arp.exe 2616 arp.exe 2580 arp.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE -
Processes:
resource yara_rule behavioral1/memory/2116-4-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/files/0x0005000000010300-2.dat upx behavioral1/memory/2848-8-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2848-21-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2604-25-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2732-24-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2616-43-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2684-51-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2580-50-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2756-46-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2764-42-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2684-41-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2580-40-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2756-33-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2604-32-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2872-31-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2772-29-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2732-90-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2116-106-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2768-105-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2116-134-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2768-142-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2768-145-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Processes:
arp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exepid Process 2580 arp.exe 2684 arp.exe 2872 arp.exe 2764 arp.exe 2616 arp.exe 2756 arp.exe 2604 arp.exe 2772 arp.exe 2848 arp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEdescription ioc Process File opened for modification \??\PhysicalDrive0 b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification \??\PhysicalDrive0 E37CC5.EXE -
Drops file in System32 directory 34 IoCs
Processes:
E37CC5.EXEb1abf4371741cd524184b57a83bd79d0N.exedescription ioc Process File created C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\dp1.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\com.run b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\internet.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\EE37CC b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\1A2F16 E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2 E37CC5.EXE File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\shell.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\spec.fne b1abf4371741cd524184b57a83bd79d0N.exe -
Drops file in Program Files directory 2 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEdescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll b1abf4371741cd524184b57a83bd79d0N.exe File created \??\c:\progra~1\common~1\system\symsrv.dll.000 E37CC5.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b1abf4371741cd524184b57a83bd79d0N.exearp.exearp.exearp.exeE37CC5.EXEarp.exeexplorer.exearp.exearp.exearp.exearp.exearp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1abf4371741cd524184b57a83bd79d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Processes:
E37CC5.EXEexplorer.exedescription ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TypedURLs E37CC5.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main E37CC5.EXE -
Modifies registry class 21 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exearp.exeexplorer.exearp.exearp.exearp.exearp.exeE37CC5.EXEdescription pid Process Token: SeDebugPrivilege 2116 b1abf4371741cd524184b57a83bd79d0N.exe Token: SeDebugPrivilege 2848 arp.exe Token: SeDebugPrivilege 2732 explorer.exe Token: SeDebugPrivilege 2872 arp.exe Token: SeDebugPrivilege 2604 arp.exe Token: SeDebugPrivilege 2764 arp.exe Token: SeDebugPrivilege 2684 arp.exe Token: SeDebugPrivilege 2768 E37CC5.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEpid Process 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2116 b1abf4371741cd524184b57a83bd79d0N.exe 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE 2768 E37CC5.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exedescription pid Process procid_target PID 2116 wrote to memory of 2848 2116 b1abf4371741cd524184b57a83bd79d0N.exe 30 PID 2116 wrote to memory of 2848 2116 b1abf4371741cd524184b57a83bd79d0N.exe 30 PID 2116 wrote to memory of 2848 2116 b1abf4371741cd524184b57a83bd79d0N.exe 30 PID 2116 wrote to memory of 2848 2116 b1abf4371741cd524184b57a83bd79d0N.exe 30 PID 2116 wrote to memory of 2872 2116 b1abf4371741cd524184b57a83bd79d0N.exe 32 PID 2116 wrote to memory of 2872 2116 b1abf4371741cd524184b57a83bd79d0N.exe 32 PID 2116 wrote to memory of 2872 2116 b1abf4371741cd524184b57a83bd79d0N.exe 32 PID 2116 wrote to memory of 2872 2116 b1abf4371741cd524184b57a83bd79d0N.exe 32 PID 2116 wrote to memory of 2772 2116 b1abf4371741cd524184b57a83bd79d0N.exe 34 PID 2116 wrote to memory of 2772 2116 b1abf4371741cd524184b57a83bd79d0N.exe 34 PID 2116 wrote to memory of 2772 2116 b1abf4371741cd524184b57a83bd79d0N.exe 34 PID 2116 wrote to memory of 2772 2116 b1abf4371741cd524184b57a83bd79d0N.exe 34 PID 2116 wrote to memory of 2732 2116 b1abf4371741cd524184b57a83bd79d0N.exe 33 PID 2116 wrote to memory of 2732 2116 b1abf4371741cd524184b57a83bd79d0N.exe 33 PID 2116 wrote to memory of 2732 2116 b1abf4371741cd524184b57a83bd79d0N.exe 33 PID 2116 wrote to memory of 2732 2116 b1abf4371741cd524184b57a83bd79d0N.exe 33 PID 2116 wrote to memory of 2604 2116 b1abf4371741cd524184b57a83bd79d0N.exe 35 PID 2116 wrote to memory of 2604 2116 b1abf4371741cd524184b57a83bd79d0N.exe 35 PID 2116 wrote to memory of 2604 2116 b1abf4371741cd524184b57a83bd79d0N.exe 35 PID 2116 wrote to memory of 2604 2116 b1abf4371741cd524184b57a83bd79d0N.exe 35 PID 2116 wrote to memory of 2756 2116 b1abf4371741cd524184b57a83bd79d0N.exe 36 PID 2116 wrote to memory of 2756 2116 b1abf4371741cd524184b57a83bd79d0N.exe 36 PID 2116 wrote to memory of 2756 2116 b1abf4371741cd524184b57a83bd79d0N.exe 36 PID 2116 wrote to memory of 2756 2116 b1abf4371741cd524184b57a83bd79d0N.exe 36 PID 2116 wrote to memory of 2764 2116 b1abf4371741cd524184b57a83bd79d0N.exe 38 PID 2116 wrote to memory of 2764 2116 b1abf4371741cd524184b57a83bd79d0N.exe 38 PID 2116 wrote to memory of 2764 2116 b1abf4371741cd524184b57a83bd79d0N.exe 38 PID 2116 wrote to memory of 2764 2116 b1abf4371741cd524184b57a83bd79d0N.exe 38 PID 2116 wrote to memory of 2616 2116 b1abf4371741cd524184b57a83bd79d0N.exe 42 PID 2116 wrote to memory of 2616 2116 b1abf4371741cd524184b57a83bd79d0N.exe 42 PID 2116 wrote to memory of 2616 2116 b1abf4371741cd524184b57a83bd79d0N.exe 42 PID 2116 wrote to memory of 2616 2116 b1abf4371741cd524184b57a83bd79d0N.exe 42 PID 2116 wrote to memory of 2684 2116 b1abf4371741cd524184b57a83bd79d0N.exe 43 PID 2116 wrote to memory of 2684 2116 b1abf4371741cd524184b57a83bd79d0N.exe 43 PID 2116 wrote to memory of 2684 2116 b1abf4371741cd524184b57a83bd79d0N.exe 43 PID 2116 wrote to memory of 2684 2116 b1abf4371741cd524184b57a83bd79d0N.exe 43 PID 2116 wrote to memory of 2580 2116 b1abf4371741cd524184b57a83bd79d0N.exe 44 PID 2116 wrote to memory of 2580 2116 b1abf4371741cd524184b57a83bd79d0N.exe 44 PID 2116 wrote to memory of 2580 2116 b1abf4371741cd524184b57a83bd79d0N.exe 44 PID 2116 wrote to memory of 2580 2116 b1abf4371741cd524184b57a83bd79d0N.exe 44 PID 2116 wrote to memory of 2768 2116 b1abf4371741cd524184b57a83bd79d0N.exe 50 PID 2116 wrote to memory of 2768 2116 b1abf4371741cd524184b57a83bd79d0N.exe 50 PID 2116 wrote to memory of 2768 2116 b1abf4371741cd524184b57a83bd79d0N.exe 50 PID 2116 wrote to memory of 2768 2116 b1abf4371741cd524184b57a83bd79d0N.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 32-94-58-5b-be-e12⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 83-93-bf-05-21-972⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\arp.exearp -s 49.12.169.207 4a-7c-d1-cd-eb-212⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 1a-c7-a0-45-d6-9e2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 cf-58-61-4d-46-7a2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 25-76-ea-16-75-882⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 45-cc-8e-55-8a-d22⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 c5-39-fa-d2-99-702⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\9E3B3C\E37CC5.EXEC:\Windows\system32\9E3B3C\E37CC5.EXE2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5e2b86e9a37fe4f85bbf0d08af28690a2
SHA1d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA5126cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082
-
Filesize
56KB
MD5fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1d93676c39ad0181dad70a662c41fc4c280cce848
SHA256bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749
-
Filesize
260KB
MD5ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063
-
Filesize
312KB
MD5936745bac5c873ab1a91478d27894626
SHA19ed92393f95692339ce03a8f1498f80c727e0555
SHA256edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA51232d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4
-
Filesize
71KB
MD54fcd7574537cebec8e75b4e646996643
SHA1efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA2568ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA5127f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e
-
Filesize
112KB
MD56d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA109c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA5122fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04
-
Filesize
1.1MB
MD5cf46bb62a1ba559ceb0fad7a5d642f28
SHA180b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA5121f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058
-
Filesize
40KB
MD5d54753e7fc3ea03aec0181447969c0e8
SHA1824e7007b6569ae36f174c146ae1b7242f98f734
SHA256192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f