Overview
overview
7Static
static
32fc040143f...5c.exe
windows7-x64
72fc040143f...5c.exe
windows10-2004-x64
7$PLUGINSDI...RL.dll
windows7-x64
3$PLUGINSDI...RL.dll
windows10-2004-x64
3$PLUGINSDIR/EULA.rtf
windows7-x64
4$PLUGINSDIR/EULA.rtf
windows10-2004-x64
1$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDIR/xml.dll
windows7-x64
3$PLUGINSDIR/xml.dll
windows10-2004-x64
3$TEMP/scen...er.exe
windows7-x64
7$TEMP/scen...er.exe
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
2fc040143ffdf72ebff222147e437b59309325b89479f50f0d8fad6afbc5c25c.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
2fc040143ffdf72ebff222147e437b59309325b89479f50f0d8fad6afbc5c25c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BrandingURL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/EULA.rtf
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/EULA.rtf
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/ZipDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/xml.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/xml.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$TEMP/scenic-surfsup-screensaver.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
$TEMP/scenic-surfsup-screensaver.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
$TEMP/scenic-surfsup-screensaver.exe
-
Size
1.5MB
-
MD5
4aa39620ed7d3069a6642d3cea044c7c
-
SHA1
ce278c857e39c8df0374f4d75aee707c2a272294
-
SHA256
90f339fe11994eaea3c3e8d83c83240ea0357b257852b17007c008322ec4c2d1
-
SHA512
8781282699293330d79b017c29e7bdaa5614974376bd6d5b1dd0c126e55ff16a6268e32d3549b12813b0c61b77e6a14246eef6f5cf4d98c68ba418f0e8f4cf51
-
SSDEEP
49152:xyYQZuTWblogtmDRaCh2liWoWu8DBGOYcQ6N1:xyYQnGWgRKUCJYGN1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 948 Scenic- Surf's up.scr -
Loads dropped DLL 2 IoCs
pid Process 2732 scenic-surfsup-screensaver.exe 948 Scenic- Surf's up.scr -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Macromed\Flash\flash8.ocx scenic-surfsup-screensaver.exe File opened for modification C:\Windows\SysWOW64\Macromed\Flash\flash8.ocx scenic-surfsup-screensaver.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Scenic- Surf's up\Uninstall.exe scenic-surfsup-screensaver.exe File opened for modification C:\Program Files (x86)\Scenic- Surf's up\Uninstall.ini scenic-surfsup-screensaver.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Scenic- Surf's up.scr scenic-surfsup-screensaver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Scenic- Surf's up.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scenic-surfsup-screensaver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Scenic- Surf's up.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Scenic- Surf's up.scr -
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Appearance\Schemes rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SCENIC~1.SCR" scenic-surfsup-screensaver.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SCENIC~1.SCR" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveActive = "1" rundll32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\CurVer scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\Programmable scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8 scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.spl scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60409BC0-4978-11d6-9E1E-204C4F4F5020} scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib\Version = "1.0" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0 scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.0\FLAGS\ = "0" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib scenic-surfsup-screensaver.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60409BC0-4978-11d6-9E1E-204C4F4F5020}\Scenic- Surf's up\Data = e8070900040013001300200003000000 scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0 scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx, 1" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000} scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "FlashFactory.FlashFactory" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\Extension = ".spl" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\flash8.ocx" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1 scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A} scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\"" scenic-surfsup-screensaver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000} scenic-surfsup-screensaver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib scenic-surfsup-screensaver.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2732 scenic-surfsup-screensaver.exe 2732 scenic-surfsup-screensaver.exe 948 Scenic- Surf's up.scr 948 Scenic- Surf's up.scr -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2732 wrote to memory of 2856 2732 scenic-surfsup-screensaver.exe 30 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31 PID 2856 wrote to memory of 948 2856 rundll32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-surfsup-screensaver.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\scenic-surfsup-screensaver.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\Scenic- Surf's up.scr2⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\Scenic- Surf's up.scr"C:\Windows\Scenic- Surf's up.scr" /p 3937523⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a0ab38e737448b520cb7bd0ddf084695
SHA10a8f4c106ccad44dbecb3bf6a265bd546abc28ca
SHA256647b34d6708c82d70a78189146ac057ab97c26a97cacd9c3ecd66177df4fa637
SHA51236683c5ac11e6ff142170d3f42233aa636e6e4209642246143768c6c78f1579e714852033d1c5c2d7a336dcb6435de5831ee4dc22b3055c93a311ec69a8ba420
-
Filesize
1KB
MD5020570a88c0692f7f3d1d42379058765
SHA1bef5e581e4c7ef4f171c165911145dca9c68287e
SHA25616efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb
SHA5121f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e
-
Filesize
1KB
MD529e0e345438882a935d2c0baff457f6c
SHA1aef4d88c8c81bc9d9440e1f94f792f6ab83e2b5a
SHA2560c127592f7670047d0b1928fede6ecf7c827b9e8086500b23756e5c02d09a4c6
SHA5128b87df27f7edc9328debeb3a0f68468d1d46615122e815d03330a9682776f85a47ef37889fc210fb28e56d91bf8cf0f0e594f90c3eaff5827dfd57b97a0b359b
-
Filesize
1KB
MD52fbde36ad3efa90d789e9efd0a74dcae
SHA1591926a5902b13c6630c5fd4e6b8ff92c8612dda
SHA25665fa5cd7aeaffc0b14b279cdd9d2be2feadfdec262d647d75c76e0fb3ae6d748
SHA512874ebbb47c879498892b82e74670ba8634b5e6769a77fac08a86f4b088de4e22e3d636d90c69d45bfa5714a33f589304593f145091fb94ca007729e037fba2a7
-
Filesize
1KB
MD5413022ab1747b5e450ed42fb50acfe59
SHA1bd6c44c72d781a77a260aab4e82aabe752ec0348
SHA256139a6e1c11743299ef0ff9020017a87bf3e701632269d91ccb1f69ef2d08faea
SHA5128e05d46b0d592b3975ad3ec42888eae7a65a0616105cfb6450e3f7330eb168013908a353c893ec9387ae91414bbbe212be777948aa0bb2e4466363b0ceba4c28
-
Filesize
1KB
MD5eaaa428b6635249343ab73bbbf14a0ae
SHA1f48c7e01a7ece47f9654389c3187778f6e86412b
SHA2566b876b388b7bb92600bea61e81215e6d8ae84894624d98e0162f923321da0533
SHA512b9b4f12061778ad4b310b16c293f3ef41c9df3c71304b5cd14e53133bb8c6d9b7d421ce0ca9e08993be01bbdf44f8e781f2f3eb8c4bd386a902f5aeb139ce713
-
Filesize
299B
MD5562636dfd2d2370b7118bcd319a52a89
SHA143dd6f0fd2e954825822bf3c9d9720d077f74305
SHA25624314bb42b61cd13a361bee6124b91e0b50de068a4a52b257021f4ccc7315167
SHA512f511f0d992dd13560afd3696e7a28acd1209d2a98b73014c955d6fad120d9808ef3b668767087dea3b3078b5dc348a3714c72358da25a43662005a2eef5aa9c4
-
Filesize
758B
MD5daf6b156b11ebb26f93863b6d028ca60
SHA1018d497a359faa2530c8bfd2722fa81fb2542479
SHA256e0d408cf5e323f6cb4444e720ef771558f32e39eda89c4c0bce1909452a14583
SHA5127adeb4d2a503af225b290e47db0bc41161014878543c02f7937fb26fc403076b0a6e1c9c5cbb21479ce21f5e6a74c4171f4fd776a50184db4ed988f962b4795f
-
Filesize
685KB
MD55802762f6362858663b9e03d2063977c
SHA11763d4dfca330ea797af4a23468cc1dc39a438fb
SHA2561e2ab892be751758e257517ad75fb25db658cac0898a02b1878deccaaa62a026
SHA512bb799802d341c92a8d910497265d7e7c77e867e2478ccc0a18543ec5834affaf5773d56fd3056eb601af9099496e5adfa2c4569815f48c14c18af345923a1c79
-
Filesize
1.4MB
MD5900373c059c2b51ca91bf110dbdecb33
SHA1102b086d6054c2cea813ef316ce24440c458762b
SHA25631453fd8f743c19e27f8fa04ee88dfebe95a7884cdfbc15ab0eb8994829aad61
SHA512b17d68cd1e4f1c2fcc7f07de657af144302d4a0cb7b6a0d6bbed4fcd39227481abae73df2d59bf13a31a47b2b6aba820182881b43e638aa00da75ba6b94adbfe