Analysis
-
max time kernel
91s -
max time network
87s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09-11-2024 17:20
Static task
static1
1 signatures
General
-
Target
FEDEX TRN 771893954554.exe
-
Size
2.2MB
-
MD5
22b365e10dd635468212251994b194bf
-
SHA1
069d6d2395ec518d0156b6d02519d3b8e896e5b5
-
SHA256
7f9b8fcc527d02e66b49d76ff52297d69dbf237a8dd4342fdf3f49a2189c67d0
-
SHA512
fbb27e9c38a6f351edd756b00227c42b98bf08c89c1c85e3b74462a381b61e4347972f373327f540b5744ef661ed0c1b3072b188616d5a5950478720bddefb1b
-
SSDEEP
24576:iB26eZ4fTPkhZ2PAG0pMn6+YZ8IOxSD68Q81Zr6kNefAd/YK2HzQX9Kub+YSgrBK:Zhhj+EbjDE81R6iY7O
Malware Config
Extracted
Family
formbook
Version
4.1
Campaign
oa09
Decoy
grit.careers
kingthaivegas.com
onwingirisleri.net
radio-jesus.com
forestfairiesnft.com
healthyintimatelifestyle.africa
karamoghanasti.africa
gqujtf.com
chaindenmark.com
netzerosemitechnologies.co.uk
kakekpecah1000.com
fiddler-foaled.click
adventurepsychologist.com
miletong.net
discounttirestoresinc.com
goldmanmediaent.com
entsorgunglangnau.ch
brezop.xyz
24-02-2022.site
artificialgrassminneapolis.com
animalbehaviourist.uk
jawara377.info
fatherhoodafter40.com
coelder.com
dridontknowitall.com
connectedwfportal.com
krockcitydegreez.africa
astraledo.ru
aneariztegui.com
boosthacknet.com
fieok.top
www337cf.com
burgerbadass.online
bumvesti.com
coachwennberg.com
cctvmarketplace.africa
usa-mill.net
753olive.com
innaija.com
antswroughtiron.com
mbltellecoms.africa
cqdxbs.com
findmy-mapsconect.com
hscp8.com
13801565016.com
8264x.com
orowa.co.uk
swadeshforever.net
distribuidorapositano.online
globalexpress.africa
disneycotinoresale.com
familiaecotono.com
cxrh-official.com
flexocomponents.com
efefzippy.buzz
generalhospitalaulue.africa
elements.wine
excursionscapetown.com
ceairaharris.net
qqhr.club
6n883.com
coinbook.pro
a-avdeeva.com
dawncat.net
bestboss.shop
Signatures
-
Formbook family
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Explorer.EXE -
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/4016-35-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4016-40-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4016-44-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1704-48-0x0000000000D70000-0x0000000000D9F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation FEDEX TRN 771893954554.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vmfdofz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vkqwztiilf\\Vmfdofz.exe\"" FEDEX TRN 771893954554.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4052 set thread context of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4016 set thread context of 3608 4016 FEDEX TRN 771893954554.exe 57 PID 4016 set thread context of 3608 4016 FEDEX TRN 771893954554.exe 57 PID 1704 set thread context of 3608 1704 wlanext.exe 57 -
YARA rule for Mozi IoT Botnet 1 IoCs
Mozi IoT Botnet detection.
resource yara_rule behavioral1/memory/4052-7-0x0000000005AB0000-0x0000000005E07000-memory.dmp Mozi_Botnet -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FEDEX TRN 771893954554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Mode = "4" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByKey:PID = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupView = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000c1f5fcc06f25db010b6ea6307725db010b6ea6307725db0114000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0 = 78003100000000005759778a1100557365727300640009000400efbe874f77486959998a2e000000fd0100000000010000000000000000003a0000000000cd51c90055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 1928 powershell.exe 1928 powershell.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3608 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 4016 FEDEX TRN 771893954554.exe 1704 wlanext.exe 1704 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 4052 FEDEX TRN 771893954554.exe Token: SeDebugPrivilege 4016 FEDEX TRN 771893954554.exe Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeDebugPrivilege 1704 wlanext.exe Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE Token: SeShutdownPrivilege 3608 Explorer.EXE Token: SeCreatePagefilePrivilege 3608 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE 3608 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4052 wrote to memory of 1928 4052 FEDEX TRN 771893954554.exe 84 PID 4052 wrote to memory of 1928 4052 FEDEX TRN 771893954554.exe 84 PID 4052 wrote to memory of 1928 4052 FEDEX TRN 771893954554.exe 84 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 4052 wrote to memory of 4016 4052 FEDEX TRN 771893954554.exe 99 PID 3608 wrote to memory of 1704 3608 Explorer.EXE 105 PID 3608 wrote to memory of 1704 3608 Explorer.EXE 105 PID 3608 wrote to memory of 1704 3608 Explorer.EXE 105 PID 1704 wrote to memory of 1568 1704 wlanext.exe 106 PID 1704 wrote to memory of 1568 1704 wlanext.exe 106 PID 1704 wrote to memory of 1568 1704 wlanext.exe 106
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\FEDEX TRN 771893954554.exe"C:\Users\Admin\AppData\Local\Temp\FEDEX TRN 771893954554.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\FEDEX TRN 771893954554.exe"C:\Users\Admin\AppData\Local\Temp\FEDEX TRN 771893954554.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4016
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FEDEX TRN 771893954554.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4364
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82