floxif | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Size

1.1MB
MD5

3ab47d7d723c1661807084d39d4b7744
SHA1

a8790ce365a8e62d3f38fe2b6fae36b34f7a5a18
SHA256

05ecfbb70aa1785e6c8aad3c7da653a797aba2193b7ef136d68e50e23315fbe2
SHA512

667c794cbd3bec294a5b6321ec25624a2dc4c44da240ddba7759dceeaca303a34891be85a09bece13bfb8763bfcd6041d08d55e723c2f846a0938bf196cb7d84
SSDEEP

24576:xavtvLkLL9IMixoEgeaUOR5UZtqOYq9MmCSSrEH7px:xkjkn9IMHeaU/Z+aPCSbx

Score

10^/10

floxif njrat quasar hackedtest heart backdoor discovery evasion execution persistence privilege_escalation spyware trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKedTEST

chipo.publicvm.com:1177

Mutex

4c71585ab01a8f1344352fb1f26b00fd

Attributes

reg_key
4c71585ab01a8f1344352fb1f26b00fd
splitter
|'|'|

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/files/0x0008000000023ba9-133.dat	family_quasar
behavioral12/memory/3900-137-0x0000000000D50000-0x0000000000DAE000-memory.dmp	family_quasar

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral12/files/0x000c000000023b27-1.dat	floxif

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2792	powershell.exe
1764	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
3548	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral12/files/0x000c000000023b27-1.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exewscript.exetest404.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	test404.exe

Drops startup file 2 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test404.exe	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Executes dropped EXE 5 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exetest404.exeGoogle Chrome.exeSys32.exeSubfile.exe

pid	Process
3548	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4580	test404.exe
4424	Google Chrome.exe
5100	Sys32.exe
3900	Subfile.exe

Loads dropped DLL 8 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeLoader.exeLoader1.exeGoogle Chrome.exenetsh.exeSubfile.exe

pid	Process
4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4516	Loader.exe
1364	Loader1.exe
4424	Google Chrome.exe
3548	netsh.exe
3900	Subfile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Google Chrome.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4c71585ab01a8f1344352fb1f26b00fd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Chrome.exe\" .."	Google Chrome.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

description	ioc	Process
File opened (read-only)	\??\e:	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
44	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral12/files/0x000a000000023b8a-20.dat	autoit_exe
behavioral12/memory/4804-61-0x00000000008E0000-0x00000000009E5000-memory.dmp	autoit_exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral12/memory/4804-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/files/0x000c000000023b27-1.dat	upx
behavioral12/files/0x000a000000023b8d-22.dat	upx
behavioral12/memory/3548-23-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral12/files/0x000b000000023b79-34.dat	upx
behavioral12/memory/3548-40-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral12/memory/4804-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4516-87-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4516-86-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral12/memory/4516-95-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral12/memory/4516-96-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/files/0x000b000000023b8a-100.dat	upx
behavioral12/memory/1364-99-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/1364-97-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral12/memory/1364-108-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/1364-107-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral12/memory/4424-121-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/3548-123-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/3548-126-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-127-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-128-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-129-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/3900-136-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-142-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/3900-143-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-144-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-146-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-150-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral12/memory/4424-154-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Load.exeLoader.exeLoader1.exeGoogle Chrome.exeSubfile.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exetest404.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Load.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Subfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
4652	schtasks.exe
1728	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid	Process
5100	Sys32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exepowershell.exe

pid	Process
4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
2792	powershell.exe
2792	powershell.exe
1764	powershell.exe
1764	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exepowershell.exepowershell.exeLoader.exeLoader1.exenetsh.exeSubfile.exe

description	pid	Process
Token: SeDebugPrivilege	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4516	Loader.exe
Token: SeDebugPrivilege	1364	Loader1.exe
Token: SeDebugPrivilege	3548	netsh.exe
Token: SeDebugPrivilege	3900	Subfile.exe
Token: SeDebugPrivilege	3900	Subfile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid	Process
3900	Subfile.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Heart-Sender-V1.2 Cracked by JC0der-FireEye.exeHeart-Sender-V1.2 Cracked by JC0der-FireEye.exewscript.execmd.exetest404.exe

description	pid	Process	procid_target
PID 4804 wrote to memory of 3548	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	87
PID 4804 wrote to memory of 3548	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	87
PID 4804 wrote to memory of 3548	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	87
PID 3548 wrote to memory of 348	3548	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	89
PID 3548 wrote to memory of 348	3548	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	89
PID 348 wrote to memory of 1772	348	wscript.exe	91
PID 348 wrote to memory of 1772	348	wscript.exe	91
PID 348 wrote to memory of 1772	348	wscript.exe	91
PID 348 wrote to memory of 60	348	wscript.exe	92
PID 348 wrote to memory of 60	348	wscript.exe	92
PID 60 wrote to memory of 2792	60	cmd.exe	94
PID 60 wrote to memory of 2792	60	cmd.exe	94
PID 4804 wrote to memory of 4580	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	95
PID 4804 wrote to memory of 4580	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	95
PID 4804 wrote to memory of 4580	4804	Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe	95
PID 60 wrote to memory of 1764	60	cmd.exe	96
PID 60 wrote to memory of 1764	60	cmd.exe	96
PID 60 wrote to memory of 1728	60	cmd.exe	97
PID 60 wrote to memory of 1728	60	cmd.exe	97
PID 60 wrote to memory of 4652	60	cmd.exe	98
PID 60 wrote to memory of 4652	60	cmd.exe	98
PID 60 wrote to memory of 4596	60	cmd.exe	99
PID 60 wrote to memory of 4596	60	cmd.exe	99
PID 60 wrote to memory of 4516	60	cmd.exe	100
PID 60 wrote to memory of 4516	60	cmd.exe	100
PID 60 wrote to memory of 4516	60	cmd.exe	100
PID 60 wrote to memory of 1364	60	cmd.exe	101
PID 60 wrote to memory of 1364	60	cmd.exe	101
PID 60 wrote to memory of 1364	60	cmd.exe	101
PID 4580 wrote to memory of 4424	4580	test404.exe	106
PID 4580 wrote to memory of 4424	4580	test404.exe	106
PID 4580 wrote to memory of 4424	4580	test404.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
4596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
  "C:\Users\Admin\AppData\Local\Temp/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A22B.tmp\A22C.tmp\A22D.vbs //Nologo
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Heart\Load.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users" -force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1728
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4652
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
        5⤵
        Views/modifies file attributes
        
        PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
        
        loader.exe -pP@$$W@RD@@
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
        
        loader1.exe -pP@$$W@RD@@
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
- C:\Users\Admin\AppData\Local\Temp\test404.exe
  C:\Users\Admin\AppData\Local\Temp/test404.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4424
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe" "Google Chrome.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Loads dropped DLL
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3548

C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:5100

C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\A1222FC12C4.tmp

Filesize
1019KB

MD5
cb0de434b038de61b61d60e2d284c2c5

SHA1
f4197c2ccaf7c42679c15208945e3536d27eda97

SHA256
b5050491771ba6bc4305574127ef774caca08280f64f0cea0a44dd8cfb0ecae3

SHA512
2984641dcfa04dedcd4a5c6bfd181da3c6352a9405043f9d6a73b0d84be84d5b61f619f209c7a89dcd7cb7631edbf4a40c5fbd6de006e97e15ea00bfd7e09324

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\AB7228C11A4.tmp

Filesize
216KB

MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A22B.tmp\A22C.tmp\A22D.vbs

Filesize
528B

MD5
eb6e66649458ab67cd6b1c1119d27cc3

SHA1
8099e76b7c4c5d593889d3d4bcf709e926d3eaab

SHA256
26dfa79be36cbdfcc3850d17dc704c16ef2772a4b561e13f349307571230f0e0

SHA512
daacbcd01d8d5555dda47ed08b042b29e203ee7ca6a29252a27bb14f6f742db2c1c58d5b83ce36d8c1fb40fae22ef14c0777cbc1ae0f9d28e8d2bb28c7933c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe

Filesize
60KB

MD5
2460a0af6c336e546ecb8d3a3bb6fab7

SHA1
de23c0a0c8d5b42eb804a557073e7c9cd1fe8558

SHA256
4ef7de2f82d7e76e2b408418c26e86680be7ca75f0406aa9e9f052a9e833ee7f

SHA512
b75eef7ec0de1ba74ce7ff378f3307741bb3b7b52d092180947753e620c30edae928f68978ddc2dc23c6ae8e8f884cd64a69a875b23de47ebadfd09483170966

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe.tmp

Filesize
136KB

MD5
554969c9b35041023edc51852ed4b30a

SHA1
d2e8f0dc1a68ccc70e2e02fc964ad3fdd7ed871e

SHA256
4ebd18478b717d304cc981608c127cd32a7105ceb2196b77143db8d0f6e6c843

SHA512
b2a2cd5afb498746ff9b005a56e063b33d082fb324210db009ac62651d909c844e13c27f3c2fbdfc808255ad7ac35502daf605fd14008d70c7dfcb4046532288

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44se0t2b.qj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test404.exe

Filesize
141KB

MD5
943df0dd122ec18e4a64231c3d8cb3f9

SHA1
5abb3181f354cd5d48726fad840518926f8ff0d7

SHA256
48945de236ef7a39cf323719c174300653f9c6d35329512c0b2a29cc3ec9ea91

SHA512
1bcc301995f984593f9874ef59f79e00ff91031f3bbb1205ff661576365299ae930e9f83356f6a49ab00cfc233f614302266c6707bba7bf86b5d505f96d71009

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe

Filesize
348KB

MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe

Filesize
7KB

MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
memory/1364-107-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-99-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1364-97-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1364-108-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1772-91-0x00000000076C0000-0x00000000076E2000-memory.dmp

Filesize
136KB

Download
memory/1772-53-0x000000000A110000-0x000000000A6B4000-memory.dmp

Filesize
5.6MB

Download
memory/1772-66-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/1772-42-0x00000000079A0000-0x0000000007A58000-memory.dmp

Filesize
736KB

Download
memory/1772-69-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1772-41-0x0000000000C10000-0x0000000000C4E000-memory.dmp

Filesize
248KB

Download
memory/1772-89-0x0000000007300000-0x0000000007654000-memory.dmp

Filesize
3.3MB

Download
memory/2792-48-0x0000024D30A80000-0x0000024D30AA2000-memory.dmp

Filesize
136KB

Download
memory/3548-126-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3548-23-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3548-123-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3548-40-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3900-137-0x0000000000D50000-0x0000000000DAE000-memory.dmp

Filesize
376KB

Download
memory/3900-136-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3900-138-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/3900-139-0x00000000069D0000-0x00000000069E2000-memory.dmp

Filesize
72KB

Download
memory/3900-140-0x0000000006F10000-0x0000000006F4C000-memory.dmp

Filesize
240KB

Download
memory/3900-143-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-121-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-142-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-154-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-150-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-146-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-144-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-127-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-128-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4424-129-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4516-86-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4516-95-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4516-96-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4516-87-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4580-68-0x0000000003020000-0x0000000003034000-memory.dmp

Filesize
80KB

Download
memory/4580-70-0x0000000005930000-0x00000000059CC000-memory.dmp

Filesize
624KB

Download
memory/4580-67-0x0000000000CA0000-0x0000000000CCA000-memory.dmp

Filesize
168KB

Download
memory/4580-83-0x0000000006DB0000-0x0000000006DBC000-memory.dmp

Filesize
48KB

Download
memory/4804-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-38-0x0000000005160000-0x0000000005185000-memory.dmp

Filesize
148KB

Download
memory/4804-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4804-61-0x00000000008E0000-0x00000000009E5000-memory.dmp

Filesize
1.0MB

Download
memory/4804-37-0x0000000005160000-0x0000000005185000-memory.dmp

Filesize
148KB

Download
memory/5100-132-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download