floxif | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Size

1.1MB
MD5

3ab47d7d723c1661807084d39d4b7744
SHA1

a8790ce365a8e62d3f38fe2b6fae36b34f7a5a18
SHA256

05ecfbb70aa1785e6c8aad3c7da653a797aba2193b7ef136d68e50e23315fbe2
SHA512

667c794cbd3bec294a5b6321ec25624a2dc4c44da240ddba7759dceeaca303a34891be85a09bece13bfb8763bfcd6041d08d55e723c2f846a0938bf196cb7d84
SSDEEP

24576:xavtvLkLL9IMixoEgeaUOR5UZtqOYq9MmCSSrEH7px:xkjkn9IMHeaU/Z+aPCSbx

Score

10^/10

floxif njrat quasar hackedtest heart backdoor discovery evasion execution persistence privilege_escalation spyware trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes

reg_key
4c71585ab01a8f1344352fb1f26b00fd
splitter
|'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral11/files/0x0007000000016b86-105.dat	family_quasar
behavioral11/memory/1936-111-0x0000000001290000-0x00000000012EE000-memory.dmp	family_quasar

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral11/files/0x000a0000000120d6-1.dat	floxif

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2608	powershell.exe
2620	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1132	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral11/files/0x000a0000000120d6-1.dat	acprotect

Drops startup file 2 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Executes dropped EXE 5 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exetest404.exeGoogle Chrome.exeSys32.exeSubfile.exe

pid	Process
2216	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
2252	test404.exe
2172	Google Chrome.exe
1804	Sys32.exe
1936	Subfile.exe

Loads dropped DLL 9 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeLoader.exeLoader1.exetest404.exeGoogle Chrome.exenetsh.exeSubfile.exe

pid	Process
1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
2860	Loader.exe
2948	Loader1.exe
2252	test404.exe
2172	Google Chrome.exe
1132	netsh.exe
1936	Subfile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Google Chrome.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeGoogle Chrome.exe

description	ioc	Process
File opened (read-only)	\??\e:	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened (read-only)	\??\e:	Google Chrome.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral11/files/0x0006000000016b86-19.dat	autoit_exe
behavioral11/memory/1736-56-0x0000000000B00000-0x0000000000C05000-memory.dmp	autoit_exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral11/files/0x000a0000000120d6-1.dat	upx
behavioral11/memory/1736-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/1736-22-0x0000000000C10000-0x0000000000C35000-memory.dmp	upx
behavioral11/files/0x0006000000016cf0-20.dat	upx
behavioral11/memory/2216-25-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral11/memory/2216-29-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral11/memory/1736-59-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2860-62-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/memory/2860-65-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/memory/2860-74-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2948-75-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/files/0x0006000000016d6f-78.dat	upx
behavioral11/memory/2948-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2948-83-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral11/memory/2948-85-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/files/0x0007000000016d6f-95.dat	upx
behavioral11/memory/2172-94-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/1132-98-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/1132-100-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-101-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-102-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-103-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/1936-110-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-115-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/1936-118-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-119-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-123-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-127-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-131-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-135-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-137-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-139-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral11/memory/2172-141-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeGoogle Chrome.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File created	\??\c:\progra~1\common~1\system\symsrv.dll.000	Google Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeGoogle Chrome.exetest404.exeLoader.exeLoader1.exenetsh.exeSubfile.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exeLoad.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Subfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Load.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
1984	schtasks.exe
1120	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid	Process
1804	Sys32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Loader.exeLoader1.exe

pid	Process
2860	Loader.exe
2948	Loader1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exeGoogle Chrome.exe

pid	Process
2608	powershell.exe
1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
2620	powershell.exe
2172	Google Chrome.exe
2172	Google Chrome.exe
2172	Google Chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Load.exe

pid	Process
2724	Load.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exepowershell.exeLoader.exeLoader1.exeGoogle Chrome.exenetsh.exeSubfile.exe

description	pid	Process
Token: SeDebugPrivilege	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2860	Loader.exe
Token: SeDebugPrivilege	2948	Loader1.exe
Token: SeDebugPrivilege	2172	Google Chrome.exe
Token: SeDebugPrivilege	1132	netsh.exe
Token: SeDebugPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: SeDebugPrivilege	1936	Subfile.exe
Token: SeDebugPrivilege	1936	Subfile.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe
Token: 33	2172	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	2172	Google Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid	Process
1936	Subfile.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exewscript.execmd.exetest404.exeGoogle Chrome.exetaskeng.exe

description	pid	Process	procid_target
PID 1736 wrote to memory of 2216	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	30
PID 1736 wrote to memory of 2216	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	30
PID 1736 wrote to memory of 2216	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	30
PID 1736 wrote to memory of 2216	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	30
PID 2216 wrote to memory of 2808	2216	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	31
PID 2216 wrote to memory of 2808	2216	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	31
PID 2216 wrote to memory of 2808	2216	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	31
PID 2216 wrote to memory of 2808	2216	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	31
PID 2808 wrote to memory of 2724	2808	wscript.exe	32
PID 2808 wrote to memory of 2724	2808	wscript.exe	32
PID 2808 wrote to memory of 2724	2808	wscript.exe	32
PID 2808 wrote to memory of 2724	2808	wscript.exe	32
PID 2808 wrote to memory of 2884	2808	wscript.exe	33
PID 2808 wrote to memory of 2884	2808	wscript.exe	33
PID 2808 wrote to memory of 2884	2808	wscript.exe	33
PID 2884 wrote to memory of 2608	2884	cmd.exe	35
PID 2884 wrote to memory of 2608	2884	cmd.exe	35
PID 2884 wrote to memory of 2608	2884	cmd.exe	35
PID 2884 wrote to memory of 2620	2884	cmd.exe	36
PID 2884 wrote to memory of 2620	2884	cmd.exe	36
PID 2884 wrote to memory of 2620	2884	cmd.exe	36
PID 1736 wrote to memory of 2252	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	37
PID 1736 wrote to memory of 2252	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	37
PID 1736 wrote to memory of 2252	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	37
PID 1736 wrote to memory of 2252	1736	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	37
PID 2884 wrote to memory of 1984	2884	cmd.exe	38
PID 2884 wrote to memory of 1984	2884	cmd.exe	38
PID 2884 wrote to memory of 1984	2884	cmd.exe	38
PID 2884 wrote to memory of 1120	2884	cmd.exe	39
PID 2884 wrote to memory of 1120	2884	cmd.exe	39
PID 2884 wrote to memory of 1120	2884	cmd.exe	39
PID 2884 wrote to memory of 2668	2884	cmd.exe	40
PID 2884 wrote to memory of 2668	2884	cmd.exe	40
PID 2884 wrote to memory of 2668	2884	cmd.exe	40
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2860	2884	cmd.exe	41
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2884 wrote to memory of 2948	2884	cmd.exe	42
PID 2252 wrote to memory of 2172	2252	test404.exe	43
PID 2252 wrote to memory of 2172	2252	test404.exe	43
PID 2252 wrote to memory of 2172	2252	test404.exe	43
PID 2252 wrote to memory of 2172	2252	test404.exe	43
PID 2172 wrote to memory of 1132	2172	Google Chrome.exe	45
PID 2172 wrote to memory of 1132	2172	Google Chrome.exe	45
PID 2172 wrote to memory of 1132	2172	Google Chrome.exe	45
PID 2172 wrote to memory of 1132	2172	Google Chrome.exe	45
PID 2336 wrote to memory of 1804	2336	taskeng.exe	49
PID 2336 wrote to memory of 1804	2336	taskeng.exe	49
PID 2336 wrote to memory of 1804	2336	taskeng.exe	49
PID 2336 wrote to memory of 1936	2336	taskeng.exe	50
PID 2336 wrote to memory of 1936	2336	taskeng.exe	50
PID 2336 wrote to memory of 1936	2336	taskeng.exe	50
PID 2336 wrote to memory of 1936	2336	taskeng.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
  "C:\Users\Admin\AppData\Local\Temp/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9D58.tmp\9D59.tmp\9D5A.vbs //Nologo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2724
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users" -force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1120
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
        5⤵
        Views/modifies file attributes
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
        
        loader.exe -pP@$$W@RD@@
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
        
        loader1.exe -pP@$$W@RD@@
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
- C:\Users\Admin\AppData\Local\Temp\test404.exe
  C:\Users\Admin\AppData\Local\Temp/test404.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Loads dropped DLL
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1132

C:\Windows\system32\taskeng.exe
taskeng.exe {1FFD7463-B19A-421B-ABC0-6482CE7BEC05} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
  C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:1804
- C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
  C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D58.tmp\9D59.tmp\9D5A.vbs

Filesize
528B

MD5
eb6e66649458ab67cd6b1c1119d27cc3

SHA1
8099e76b7c4c5d593889d3d4bcf709e926d3eaab

SHA256
26dfa79be36cbdfcc3850d17dc704c16ef2772a4b561e13f349307571230f0e0

SHA512
daacbcd01d8d5555dda47ed08b042b29e203ee7ca6a29252a27bb14f6f742db2c1c58d5b83ce36d8c1fb40fae22ef14c0777cbc1ae0f9d28e8d2bb28c7933c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\9CAD9306C8.tmp

Filesize
1019KB

MD5
cb0de434b038de61b61d60e2d284c2c5

SHA1
f4197c2ccaf7c42679c15208945e3536d27eda97

SHA256
b5050491771ba6bc4305574127ef774caca08280f64f0cea0a44dd8cfb0ecae3

SHA512
2984641dcfa04dedcd4a5c6bfd181da3c6352a9405043f9d6a73b0d84be84d5b61f619f209c7a89dcd7cb7631edbf4a40c5fbd6de006e97e15ea00bfd7e09324

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\A351B5CB2C.tmp

Filesize
216KB

MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\A45A2F8B84.tmp

Filesize
71KB

MD5
cb12a9883105636361815cc05ae84a9b

SHA1
e200f1b9553254dac2771c11e9c7eaf39095803c

SHA256
fb6f81aaf1dbe4cf4a182b2f049504c2b137cf714eacddf8debc7087d52414e7

SHA512
36dd29e931d771802e4f39ece4cb3ab6bff777457304d3242b88189ebd8a2650a68dba2b100309f6a5962af2d92416f91f0ad0e323e98d7276b2ecec0c657fec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
13326b233e103c8a1c11f19308e62ead

SHA1
bccb5a51486fe176edbe135f6f68a091c73cde8b

SHA256
d4bc41f48440690a92bf0dfc621e463fcf1d5c1973cfcbe3d2a4d83ec35fc080

SHA512
49f66b0236cb1b9011d3391ef0ad4d348201e5fc4b34e16f18f265b7ad597e79aeb3589801082031701fa2c4d4e0c4168fb717d92708127d4853f0dde497f9fc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe

Filesize
348KB

MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe

Filesize
7KB

MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Filesize
60KB

MD5
2460a0af6c336e546ecb8d3a3bb6fab7

SHA1
de23c0a0c8d5b42eb804a557073e7c9cd1fe8558

SHA256
4ef7de2f82d7e76e2b408418c26e86680be7ca75f0406aa9e9f052a9e833ee7f

SHA512
b75eef7ec0de1ba74ce7ff378f3307741bb3b7b52d092180947753e620c30edae928f68978ddc2dc23c6ae8e8f884cd64a69a875b23de47ebadfd09483170966

Download Submit
\Users\Admin\AppData\Local\Temp\test404.exe

Filesize
141KB

MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
memory/1132-100-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1132-98-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1736-22-0x0000000000C10000-0x0000000000C35000-memory.dmp

Filesize
148KB

Download
memory/1736-56-0x0000000000B00000-0x0000000000C05000-memory.dmp

Filesize
1.0MB

Download
memory/1736-59-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1736-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1804-113-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/1936-110-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1936-111-0x0000000001290000-0x00000000012EE000-memory.dmp

Filesize
376KB

Download
memory/1936-118-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-135-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-96-0x0000000000E90000-0x0000000000EBA000-memory.dmp

Filesize
168KB

Download
memory/2172-131-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-127-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-123-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-141-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-119-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-103-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-115-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-137-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-94-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-102-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-139-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2172-101-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2216-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2216-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2252-67-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2252-60-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2252-61-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/2608-36-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2608-35-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2620-47-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-48-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2724-41-0x00000000049E0000-0x0000000004A98000-memory.dmp

Filesize
736KB

Download
memory/2724-34-0x0000000001220000-0x000000000125E000-memory.dmp

Filesize
248KB

Download
memory/2860-74-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-65-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2860-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2948-85-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2948-83-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2948-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2948-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download