2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Size

460KB
MD5

e2e9af35b9ce5c2f861ac3e79c2a42d0
SHA1

5ff7de0d33c7c954451901a3198088ee9807f0d7
SHA256

2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897
SHA512

8e0562191081bf680128e9cb23f95517f42f59526652a4f866a0482bf9cd38e35b8d48cb2ddb8757fd717531aa791977f3e334c63201f31e71b1931609c69447
SSDEEP

12288:HrRPiSpCSBb+M9cpRLkHhZJffbhzeo35c:L4Spniscpi3Bh3c

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 14 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\wdfmgr.exe = "C:\\WINDOWS\\wdfmgr\\wdfmgr.exe:*:Enabled:wdfmgr.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\packs.exe = "C:\\WINDOWS\\wdfmgr\\packs.exe:*:Enabled:packs.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlooks.exe = "C:\\WINDOWS\\Outlooks.exe:*:Enabled:Outlooks.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\pxador.exe = "C:\\WINDOWS\\wdfmgr\\pxador.exe:*:Enabled:pxador.exe"	pxador.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\pxador.exe = "C:\\WINDOWS\\wdfmgr\\pxador.exe:*:Enabled:pxador.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\wdfmgr.exe = "C:\\WINDOWS\\wdfmgr\\wdfmgr.exe:*:Enabled:wdfmgr.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Outlooks.exe = "C:\\WINDOWS\\Outlooks.exe:*:Enabled:Outlooks.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\wdfmgr\packs.exe = "C:\\WINDOWS\\wdfmgr\\packs.exe:*:Enabled:packs.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\	pxador.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	pxador.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	pxador.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr.exe = "C:\\WINDOWS\\wdfmgr\\wdfmgr.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr.exe = "C:\\WINDOWS\\wdfmgr\\wdfmgr.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pxador.exe = "C:\\WINDOWS\\wdfmgr\\pxador.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pxador.exe = "C:\\WINDOWS\\wdfmgr\\pxador.exe"	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\wdfmgr\pxador.exe	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
File created	C:\WINDOWS\explo.bat	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
File created	C:\WINDOWS\wdfmgr\pxador.exe	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxador.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000087f7acea8f254723723e73284ec72301736a6ceb8e92dc9e321239cfc92673cf000000000e80000000020000200000009b522d0e19a8247efdb34debb954d14fc83056e8ec26da1c1369a8ee6b2332fc900000005a4bbd67465a161eff5a0c0ec5adad14a6eceb748b02c6b75f537c7d8df6fe5bf749ef1a735e3c0414463908991003ae301e865dc95274015dcd5c2e073a379b6dc1835d9a1ec5f140c0306ed0022451c77c9988d2f0949da0eb48d17fd010a3e05b83a17112aee082ae7e83c50c0e8e80a2a90376e4d0bf89981196a42f92c248194ce09f006b97ad38096e8c2c3d4a40000000e85dc37e1830ff5ab93198de5b106a7e1cba3688a4d80110ed27508b62d70c0c934c20b3af319f87e2de39beb36ebf3d4fa0b108f85b6a577243b15956747bd9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432956858"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000008a17ef37b3a3913431d9c643e4524ee15c7f372101ff7121652e7c9a2509c248000000000e80000000020000200000001f8d70572a2dbd9242531b5f9861a152791299ef8d9412f49bd077ab3752b4ff20000000429d61f2aeefbff7ce6e05ce57c416f5b01f9b9e70e24a013e8ff2ce5a5a130140000000682e1b3634d3057790be1657fe461b54bfcdc54eda8427fdd66434d6fabe335be726a8a0641e8653eaed3a576b5a82aa1d8d2c6bf5948fd0d0a2e0b74c8132c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F78797C1-76ED-11EF-9EEF-FA57F1690589} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f183e6fa0adb01	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2824	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	pxador.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	pxador.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2712	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	30
PID 2360 wrote to memory of 2712	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	30
PID 2360 wrote to memory of 2712	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	30
PID 2360 wrote to memory of 2712	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	30
PID 2712 wrote to memory of 2824	2712	cmd.exe	32
PID 2712 wrote to memory of 2824	2712	cmd.exe	32
PID 2712 wrote to memory of 2824	2712	cmd.exe	32
PID 2712 wrote to memory of 2824	2712	cmd.exe	32
PID 2760 wrote to memory of 2908	2760	iexplore.exe	34
PID 2760 wrote to memory of 2908	2760	iexplore.exe	34
PID 2760 wrote to memory of 2908	2760	iexplore.exe	34
PID 2760 wrote to memory of 2908	2760	iexplore.exe	34
PID 2360 wrote to memory of 2600	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	35
PID 2360 wrote to memory of 2600	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	35
PID 2360 wrote to memory of 2600	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	35
PID 2360 wrote to memory of 2600	2360	2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe	35

C:\Users\Admin\AppData\Local\Temp\2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe
"C:\Users\Admin\AppData\Local\Temp\2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897N.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\WINDOWS\explo.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2824
- C:\WINDOWS\wdfmgr\pxador.exe
  C:\WINDOWS\wdfmgr\pxador.exe
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
916c10764e04567a493ada967dd2fd11

SHA1
508f02b7621d779785fc15766dd8377273f03cb9

SHA256
128167ff94ecad9907059c0cb9527fc413db4734ed8884bffd82260ff9dbf235

SHA512
85226503e61a4363da592bead3694fcb67493230a56bd06f990e3f09543e0e03e17799b9543244b5d38dc208a76a06400f80b553c17a4b2b1fdb4bcd84a76096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17551ee6be737910691f9a60cfc4eafd

SHA1
f4eedd9bf4eb87fcea790adc20264de105a6941f

SHA256
2446cafd31862e3513424dcdce6b003cf9da270bcd6f406dbf826c6cb2f8001b

SHA512
88860bc27e73a1bf52ec79cb732a0ad579df337a6de6ae492a7881ff90f2b02281ef21b4325f76b4b0f5862bb3ba3c88885013a5dda2e1b7fa187d780fa1f363

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a7dde5711f021ba4b897402baff21d

SHA1
83c7a3f56f24bd8d726130418af3fe764523bf1f

SHA256
9fea6c1d071dee4821dd9ef077e4643db1e4d1105f6359566b020ebb37fb136d

SHA512
ac8a4bf4303e6cb6706f1324a08ca626ec0c5963810bbf7251c5d9a800dabd862856d2e6072e1e1c8d03aeef67c3451560a13cc9478bc2bd0793312fd817f8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3e3de00e1b7848e6d9fc7259b18f131

SHA1
9097cd25c337cc1cee50859e9554c33c805e3215

SHA256
462e247966d94ef29f2eb7645371aadacbd96a6786549f088edf27069155f15c

SHA512
c00cebddee283db72290e2c043d1928606ca936b4b1b4645229df9889cdbcae3cae3063d9c6592d5305e0eca3999d6b96d247b70ff0dd6678577932b83ef9ddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9648479501a01b2e295aa250ec38e4e3

SHA1
0d3ebf20779bad288e31816e6bfcd43b263f08cd

SHA256
1c8e44c9bed1a0f08aae44273446f90fcf76e94db02eb4d86b63e269e873376b

SHA512
079531a13d14e55fa370ba6a87e36b80c0721da042954ee77d49bc5d4515101a59c552f736a275a9352d01da379fecc453c4d337fb74baeb2104d12eb702a6ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8e5562dc1f31bf320a256636e50ecd9

SHA1
add05922d1c43174f4fb8dff1e6d1d1cbbba73f5

SHA256
8bc229d4be4ab4c1023df2d20a7adead40ba9a6dc0f5ef47e6765b45fcfe4dda

SHA512
c3e54483b52fd44cfbfec76fb75c63c29b65797a45ad224c7a54b5f0b368a6099f7ba3fb11a3f5ed76551e32591bc625e056ca5fbcc2175932330f26890897bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06376a9086fe873499d038e63de33329

SHA1
10eb030653ec925de42a8ec0d2a4691ea93203f3

SHA256
d611abe5e457953781d53c5b9fbda3f8bda31961e18acfba9fd85dea80fed4ee

SHA512
778b3e02a7ae2e6797b3f12eab4868d50d57e9e1b907e8cb63cf8b63cb7e0d0f1cb953ee168f3a9d2b5385a2af794abc550a241aad5f7141795538a59470bd55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcfbc7aa8de9d3ad23de79cc37ab246c

SHA1
15e4a3334e53ce5041b66589b1f2dbe9feed7646

SHA256
436c38be52297b90451104e9ba62944a1ec00542358550bfb93bbd05ea7b75d9

SHA512
bcad3ae3d431579dfc34c4296384d4310ff0ea48a11e3a3e44702227fb4173ae70252158044baf7e24e74c0922c780c0629f256f95db7cc245b4fd187e2290c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08a6c694da653b76690f2cfe21805233

SHA1
8ef72e479c61fd2cdb622e53fd8ddcfaf6e70132

SHA256
946709b8a37ad1e89351635b6ae365debb6be86805da840fef07c71adfc1a20e

SHA512
6d16e1842726710859f9ebe4f332499e7d486dea2043549e73babc1ce1b91593694a161dbe75bae9f5ef8ba4a4f7d75f0e7318adb21c6bec2994722126034e1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
690f6a3eb12d3436ff6dc8c513dc9202

SHA1
7b74c1e0fce17ffd972e49a7270c60d2547922e0

SHA256
188375507410256419bac2bd3abbc1e9e6c279ecff25a04e2f91eaedb6efd16b

SHA512
8bf475ff151f6324ce95fb7ea45d27d93aaccd2bee08a80fb04b30b1c786e4cacda9b23436de1a0a54f9973e5717922759bd7610952e36ec6fcca8c1f1adb386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
797a070140a88135ea4cf26509453df9

SHA1
b14978cca23b9762fa2db09e2e82cf4c1b2fc800

SHA256
6cd925009b20f2a15a0a98aaa2862b216884bba50c5eddf544b7f0da8528ea4b

SHA512
3a86fc0826181716ecf2ec180ef3442a4a966d54977f28abedbb352e07623964448fa288d4b44164ff2d6fe0dba582ec26bfe57a9dca45407b0246075c1778e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b24832fa0bb9405115a455428c67e3ca

SHA1
642838627885dab06056d926e28c6340d0107268

SHA256
f0155b9a79f520a635c4f6ed02451ff6ffd1181e8d309c34916726337e88be23

SHA512
7ed49582e95a765e1c85dad2bf6b750db35da47e8a073a25ff0cf9e4a42873ffcbf5a73573d194cab3c4ae55f71ffbfdb05df73f162e5f0d69741e457e08c698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3041785c83a968b95134cf8287ff6704

SHA1
e2a8cf5d6321bd799d4d1b4dcae0694ff830628d

SHA256
fc1801532d0d4c6ed88131e348e481e24a5108f8ad85a4a8d05df2d4193eed36

SHA512
570983f7faa59de943625173bcfef7cc0c99937626bc00c775c7aed887c4e23910100ee091a25635054c01ee899e745e203032e269ef4f06cea15dfe242da5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9a678bcd8b94d19d24d9f7e6e163b90e

SHA1
09b436ef5054269e60f6100af8ad2fa8efbc347b

SHA256
9449f2752d2a1596c9deb38e2b8ef83b81df3a2ccc202532d42146a4be4d1d58

SHA512
de67a6140847c00eeee4460abf37b085886229655a6fef044857653576b338168b2154252d7a131800b7a53b98c0ba38aefb28811af846e4c2cd14bd64c61291

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD309.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD30C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\explo.bat

Filesize
77B

MD5
842a5b9784004744843472d6c3440c60

SHA1
a61b7111c76dec741fb98b1eef6e6c45a02e6091

SHA256
f335661fabddf3ecca56756521b02fc9ae3c28952054eb8001dd6563a1c3b70b

SHA512
89a97e327c595239ba0d4718b09d6bb89a284b030ce32a4d54d8c81a964d13038f1e2107bb19c90a62a90036358cd6ffcd01699b310ebb74905254357fda876b

Download Submit
\Windows\wdfmgr\pxador.exe

Filesize
460KB

MD5
e2e9af35b9ce5c2f861ac3e79c2a42d0

SHA1
5ff7de0d33c7c954451901a3198088ee9807f0d7

SHA256
2de90b576dfc8507e91daa4870ad4e26e15acd779c9eee8e1849e5e78db46897

SHA512
8e0562191081bf680128e9cb23f95517f42f59526652a4f866a0482bf9cd38e35b8d48cb2ddb8757fd717531aa791977f3e334c63201f31e71b1931609c69447

Download Submit
memory/2360-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2360-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2600-582-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2600-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2600-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2600-33-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads