Analysis
-
max time kernel
111s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
b1abf4371741cd524184b57a83bd79d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b1abf4371741cd524184b57a83bd79d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
b1abf4371741cd524184b57a83bd79d0N.exe
-
Size
1.2MB
-
MD5
b1abf4371741cd524184b57a83bd79d0
-
SHA1
b03cf124a8a2449673b1dae23cfe872ac60512f3
-
SHA256
bd9681b94c7678dc0d26814705ec565b03d73ff301f82267a495161ff36f8e55
-
SHA512
1a2b1eb53cdf910509cf4f4e392428f3afdef3bfcc69aa44ef5235e91725636ef23ca38ab0fda17ad6a4bfe1573deac8f7bc438d9fe6cadd57691af2287d3f44
-
SSDEEP
24576:RrG5gX9qqY7tl96R7XRe05OkhCOJDLonUc98hJNDpevFDsz5tJrPkMRGJ/qofN:RZtRY73yXReE4m8nR98PVpeszj01qg
Malware Config
Signatures
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x00090000000233d4-2.dat floxif -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral2/files/0x00090000000233d4-2.dat acprotect -
Drops startup file 1 IoCs
Processes:
E37CC5.EXEdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E37CC5.lnk E37CC5.EXE -
Executes dropped EXE 1 IoCs
Processes:
E37CC5.EXEpid Process 3900 E37CC5.EXE -
Loads dropped DLL 21 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeexplorer.exeE37CC5.EXEpid Process 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 4780 explorer.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE -
Processes:
resource yara_rule behavioral2/files/0x00090000000233d4-2.dat upx behavioral2/memory/1844-3-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/4780-23-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/3900-82-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/4780-89-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/1844-122-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral2/memory/3900-126-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Processes:
arp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exepid Process 4792 arp.exe 2184 arp.exe 5092 arp.exe 3384 arp.exe 4868 arp.exe 1192 arp.exe 3968 arp.exe 4628 arp.exe 2724 arp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEdescription ioc Process File opened for modification \??\PhysicalDrive0 b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification \??\PhysicalDrive0 E37CC5.EXE -
Drops file in System32 directory 34 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEdescription ioc Process File opened for modification C:\Windows\SysWOW64\9E3B3C\krnln.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\RegEx.fnr b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\internet.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\1A2F16 E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\dp1.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\dp1.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\RegEx.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2 E37CC5.EXE File created C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.edt E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\cnvpe.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\EE37CC\7CC5ADE1.TXT b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\internet.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\EE37CC b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\com.run b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\eAPI.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\spec_a.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\E37CC5.EXE b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2\119e.inf E37CC5.EXE File created C:\Windows\SysWOW64\C021A2\3c8c.inf E37CC5.EXE File created C:\Windows\SysWOW64\9E3B3C\eAPI.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\krnln.fnr b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\spec.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE File opened for modification C:\Windows\SysWOW64\9E3B3C\cnvpe.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\shell.fne b1abf4371741cd524184b57a83bd79d0N.exe File opened for modification C:\Windows\SysWOW64\9E3B3C\shell.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\com.run b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\9E3B3C\spec.fne b1abf4371741cd524184b57a83bd79d0N.exe File created C:\Windows\SysWOW64\C021A2\3c8c.EDT E37CC5.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll b1abf4371741cd524184b57a83bd79d0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
arp.exearp.exearp.exeexplorer.exearp.exearp.exearp.exeb1abf4371741cd524184b57a83bd79d0N.exearp.exearp.exearp.exeE37CC5.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1abf4371741cd524184b57a83bd79d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE -
Processes:
explorer.exeE37CC5.EXEdescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key deleted \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs E37CC5.EXE Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 23 IoCs
Processes:
explorer.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid Process 3200 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 656 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeexplorer.exeE37CC5.EXEdescription pid Process Token: SeDebugPrivilege 1844 b1abf4371741cd524184b57a83bd79d0N.exe Token: SeDebugPrivilege 4780 explorer.exe Token: SeDebugPrivilege 3900 E37CC5.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exeE37CC5.EXEexplorer.exepid Process 1844 b1abf4371741cd524184b57a83bd79d0N.exe 1844 b1abf4371741cd524184b57a83bd79d0N.exe 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3900 E37CC5.EXE 3200 explorer.exe 3200 explorer.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
b1abf4371741cd524184b57a83bd79d0N.exedescription pid Process procid_target PID 1844 wrote to memory of 2184 1844 b1abf4371741cd524184b57a83bd79d0N.exe 83 PID 1844 wrote to memory of 2184 1844 b1abf4371741cd524184b57a83bd79d0N.exe 83 PID 1844 wrote to memory of 2184 1844 b1abf4371741cd524184b57a83bd79d0N.exe 83 PID 1844 wrote to memory of 4792 1844 b1abf4371741cd524184b57a83bd79d0N.exe 85 PID 1844 wrote to memory of 4792 1844 b1abf4371741cd524184b57a83bd79d0N.exe 85 PID 1844 wrote to memory of 4792 1844 b1abf4371741cd524184b57a83bd79d0N.exe 85 PID 1844 wrote to memory of 4868 1844 b1abf4371741cd524184b57a83bd79d0N.exe 86 PID 1844 wrote to memory of 4868 1844 b1abf4371741cd524184b57a83bd79d0N.exe 86 PID 1844 wrote to memory of 4868 1844 b1abf4371741cd524184b57a83bd79d0N.exe 86 PID 1844 wrote to memory of 3384 1844 b1abf4371741cd524184b57a83bd79d0N.exe 87 PID 1844 wrote to memory of 3384 1844 b1abf4371741cd524184b57a83bd79d0N.exe 87 PID 1844 wrote to memory of 3384 1844 b1abf4371741cd524184b57a83bd79d0N.exe 87 PID 1844 wrote to memory of 5092 1844 b1abf4371741cd524184b57a83bd79d0N.exe 88 PID 1844 wrote to memory of 5092 1844 b1abf4371741cd524184b57a83bd79d0N.exe 88 PID 1844 wrote to memory of 5092 1844 b1abf4371741cd524184b57a83bd79d0N.exe 88 PID 1844 wrote to memory of 3968 1844 b1abf4371741cd524184b57a83bd79d0N.exe 89 PID 1844 wrote to memory of 3968 1844 b1abf4371741cd524184b57a83bd79d0N.exe 89 PID 1844 wrote to memory of 3968 1844 b1abf4371741cd524184b57a83bd79d0N.exe 89 PID 1844 wrote to memory of 1192 1844 b1abf4371741cd524184b57a83bd79d0N.exe 90 PID 1844 wrote to memory of 1192 1844 b1abf4371741cd524184b57a83bd79d0N.exe 90 PID 1844 wrote to memory of 1192 1844 b1abf4371741cd524184b57a83bd79d0N.exe 90 PID 1844 wrote to memory of 2724 1844 b1abf4371741cd524184b57a83bd79d0N.exe 91 PID 1844 wrote to memory of 2724 1844 b1abf4371741cd524184b57a83bd79d0N.exe 91 PID 1844 wrote to memory of 2724 1844 b1abf4371741cd524184b57a83bd79d0N.exe 91 PID 1844 wrote to memory of 4628 1844 b1abf4371741cd524184b57a83bd79d0N.exe 92 PID 1844 wrote to memory of 4628 1844 b1abf4371741cd524184b57a83bd79d0N.exe 92 PID 1844 wrote to memory of 4628 1844 b1abf4371741cd524184b57a83bd79d0N.exe 92 PID 1844 wrote to memory of 4780 1844 b1abf4371741cd524184b57a83bd79d0N.exe 101 PID 1844 wrote to memory of 4780 1844 b1abf4371741cd524184b57a83bd79d0N.exe 101 PID 1844 wrote to memory of 4780 1844 b1abf4371741cd524184b57a83bd79d0N.exe 101 PID 1844 wrote to memory of 3900 1844 b1abf4371741cd524184b57a83bd79d0N.exe 103 PID 1844 wrote to memory of 3900 1844 b1abf4371741cd524184b57a83bd79d0N.exe 103 PID 1844 wrote to memory of 3900 1844 b1abf4371741cd524184b57a83bd79d0N.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 5a-eb-a3-5a-86-dd2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4792
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 fe-bf-2b-01-a1-272⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Windows\SysWOW64\arp.exearp -s 136.243.76.21 71-75-93-87-9c-c32⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 25-2e-47-be-6e-832⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:5092
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 88-f9-6a-a9-82-ac2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3968
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 2d-4a-2d-8d-e0-182⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1192
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 61-f0-51-98-6d-432⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 87-d1-6c-a2-36-0f2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\b1abf4371741cd524184b57a83bd79d0N2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\SysWOW64\9E3B3C\E37CC5.EXEC:\Windows\system32\9E3B3C\E37CC5.EXE2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD54fcd7574537cebec8e75b4e646996643
SHA1efa59bb9050fb656b90d5d40c942fb2a304f2a8b
SHA2568ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d
SHA5127f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e
-
Filesize
56KB
MD5fb7ea6f8ae09fa7621ee13f86c4f2935
SHA1d93676c39ad0181dad70a662c41fc4c280cce848
SHA256bdc314d45af6a5afaed2663e63817902e80f9a18ba1965947c314b433e05bfb0
SHA512e15111dda54bcab507c20e910f8257d2dec2830bfbc5f69e5286ce37cabb79237ce8fb1c813b2d82fa7bed0c2df89e2940ceebde358162553290224cf0866749
-
Filesize
112KB
MD56d4b2e73f6f8ecff02f19f7e8ef9a8c7
SHA109c32ca167136a17fd69df8c525ea5ffeca6c534
SHA256fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040
SHA5122fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04
-
Filesize
1.1MB
MD5cf46bb62a1ba559ceb0fad7a5d642f28
SHA180b63dd193e84bfacbe535587dd38471b8ea2c24
SHA256fe4bba1a99b332c8bbd196d3a2f3c78d9edc8f212842ff2efef17eba38427f67
SHA5121f71f31fdc1ef7695d7a6e79218a9192804178bb2af80486de4f8ff3d7e176860813a61fa265bf78fe4ff722a85b72798938d715d8a2a034ac759505197a1058
-
Filesize
40KB
MD5d54753e7fc3ea03aec0181447969c0e8
SHA1824e7007b6569ae36f174c146ae1b7242f98f734
SHA256192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9
SHA512c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f
-
Filesize
111KB
MD5e2b86e9a37fe4f85bbf0d08af28690a2
SHA1d56b2d2a21cdf5661a17e32be5c71004eb558896
SHA256b05ad065919cee4748075a182d681215c645c7cc3fdf9a06bfd18f7ebb067c91
SHA5126cb065b121f11ee2700b22dd1cf9c9f4d44808261cc9ff2fac36165f42291598b708fa2501264d5c0dfc3df71e7bd6a3d22f9fff70e23d064733e488d49ee082
-
Filesize
260KB
MD5ce2f773275d3fe8b78f4cf067d5e6a0f
SHA1b7135e34d46eb4303147492d5cee5e1ef7b392ab
SHA256eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d
SHA512d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063
-
Filesize
312KB
MD5936745bac5c873ab1a91478d27894626
SHA19ed92393f95692339ce03a8f1498f80c727e0555
SHA256edfbe514d330e942ecd50dd7331659d59df27668e762d5a00e43df67f5f08630
SHA51232d15337ab7a62ff25802c04bd782f5be36012f1a5251d962226a8e8e2daa7bc0a35b9cbfb67889d3b9dbc5f6cc51f924bae963ae12619249b22f2cc9aa2bbd4