floxif | 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97

General

Target

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Size

295KB
MD5

52df9cab71705d8d32c8ca7a96512048
SHA1

db1d09febfdc83b7596a69662a7fb399a0c1a09e
SHA256

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97
SHA512

ba111aec77fc17e531601edd86c1f3fd889fb7fa83a8015c289380c59c2b7f156f9cc83f97070f3862a64e2ecd4a202dd9cfc909135194a0aeae0d9c3f863a3b
SSDEEP

6144:XpLqdufVUEAkC5sqDgJqBV+UdvrEFp7hKXc:5FUEAf2qBjvrEH7uc

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 6 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1984	icsys.icn.exe
2864	explorer.exe
2992	spoolsv.exe
2768	svchost.exe
1804	spoolsv.exe

Loads dropped DLL 14 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeWerFault.exe

pid	process
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1984	icsys.icn.exe
2864	explorer.exe
2992	spoolsv.exe
2768	svchost.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/1732-24-0x0000000000420000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1732-60-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1732-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description ioc process

File created C:\Program Files\Common Files\System\symsrv.dll 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Drops file in Windows directory 5 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

628 1924 WerFault.exe 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	pid_target	process	target process
628	1924	WerFault.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeschtasks.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe explorer.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies registry class 5 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2676 schtasks.exe
704 schtasks.exe
2192 schtasks.exe

pid	process
2676	schtasks.exe
704	schtasks.exe
2192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2864 explorer.exe
2768 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description pid process

Token: SeDebugPrivilege 1732 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	process
2864	explorer.exe
2768	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	process
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1984	icsys.icn.exe
1984	icsys.icn.exe
2864	explorer.exe
2864	explorer.exe
2992	spoolsv.exe
2992	spoolsv.exe
2768	svchost.exe
2768	svchost.exe
1804	spoolsv.exe
1804	spoolsv.exe
1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	pid	process	target process
PID 1732 wrote to memory of 1924	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 1732 wrote to memory of 1924	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 1732 wrote to memory of 1924	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 1732 wrote to memory of 1924	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 1732 wrote to memory of 1984	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 1732 wrote to memory of 1984	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 1732 wrote to memory of 1984	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 1732 wrote to memory of 1984	1732	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 1984 wrote to memory of 2864	1984	icsys.icn.exe	explorer.exe
PID 1984 wrote to memory of 2864	1984	icsys.icn.exe	explorer.exe
PID 1984 wrote to memory of 2864	1984	icsys.icn.exe	explorer.exe
PID 1984 wrote to memory of 2864	1984	icsys.icn.exe	explorer.exe
PID 2864 wrote to memory of 2992	2864	explorer.exe	spoolsv.exe
PID 2864 wrote to memory of 2992	2864	explorer.exe	spoolsv.exe
PID 2864 wrote to memory of 2992	2864	explorer.exe	spoolsv.exe
PID 2864 wrote to memory of 2992	2864	explorer.exe	spoolsv.exe
PID 2992 wrote to memory of 2768	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2768	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2768	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2768	2992	spoolsv.exe	svchost.exe
PID 2768 wrote to memory of 1804	2768	svchost.exe	spoolsv.exe
PID 2768 wrote to memory of 1804	2768	svchost.exe	spoolsv.exe
PID 2768 wrote to memory of 1804	2768	svchost.exe	spoolsv.exe
PID 2768 wrote to memory of 1804	2768	svchost.exe	spoolsv.exe
PID 2864 wrote to memory of 2624	2864	explorer.exe	Explorer.exe
PID 2864 wrote to memory of 2624	2864	explorer.exe	Explorer.exe
PID 2864 wrote to memory of 2624	2864	explorer.exe	Explorer.exe
PID 2864 wrote to memory of 2624	2864	explorer.exe	Explorer.exe
PID 2768 wrote to memory of 2676	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2676	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2676	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2676	2768	svchost.exe	schtasks.exe
PID 1924 wrote to memory of 628	1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	WerFault.exe
PID 1924 wrote to memory of 628	1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	WerFault.exe
PID 1924 wrote to memory of 628	1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	WerFault.exe
PID 1924 wrote to memory of 628	1924	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	WerFault.exe
PID 2768 wrote to memory of 704	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 704	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 704	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 704	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2192	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2192	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2192	2768	svchost.exe	schtasks.exe
PID 2768 wrote to memory of 2192	2768	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
"C:\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- \??\c:\users\admin\appdata\local\temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
  c:\users\admin\appdata\local\temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1872
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:628
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2992
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1804
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:52 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:53 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:704
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:54 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
fd7f07ce3782f1174ed287d8c64cae2a

SHA1
aa50287c550d501d10166652355d8c7353c1bc39

SHA256
a0850d54d9c7ae00f91b82f8ede3a7b868640ccb8013fa7f9ddee3ac97811adf

SHA512
41012bf68924e588fbc69ad740578e35cdaf1b0c520ae2fac00ee069cfd054765d856b766b768d1c961f4a3f4f743ede0dbb698b946996f2eb537cc0d8d8c654

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Filesize
84KB

MD5
db88cea04959ef0e922c90b53738f37a

SHA1
cdc9e0c6ed27bfc798221cfc7a5316bf45e44493

SHA256
6031b6caa61889583058cfb76401cb7b26c8c739e013835cee9747c0634e9bd8

SHA512
61b69861844e45a671f156f7c391f749a414bd1726e3ab9b80644bc09c4d88941b7cade1b3ccd1a4eb6adf8fa34d9dc20fb0ad34981c5ccc00479d2fb259dd91

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
be0649f1b129bceeffc732def383465f

SHA1
2457259945ef27b7bc5051a45f396630f265e9b6

SHA256
45e68229cb7fc890129984340a526bd21b0ed166b41327170de24c7c339613b7

SHA512
63560c8a6c13dd56d9ed85416c6581f88475ed015c72b0a617cdc74b6a3e21b6fa8a67195e9820dadbd017430a6003ef1cab072e3c20ce3ba03a006d899cfa54

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3070a1b2d072f2c9bc674ba3c222435c

SHA1
192df92a65666262f49918fd37962c10502a97e2

SHA256
5e54f2d600edd7b0eb78607fa6c93605093e6f93d85b7dff9bf6629b62b3e816

SHA512
1706e88072f30c220b80334d61021b777103c489ec9cf2fe750770bb58f7000cfe44b8ba419347f5b977c115bb8c8d332949320c8d3752ead23d27e3ccec13fe

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f39c4944222a007801e274c04dd5d1c9

SHA1
2b9f7a86e950282c4b6b763e070a29dbdbc64c92

SHA256
e66fd2154e40fc0e5921e89ddb02f13b1bb64b99ebef76ab064679267cf41d62

SHA512
6556952cb8dd5353cb9c7f107a721905fc4c28075a388a03b8c26656f89dfa542a173a538e3bc9ac94d5990af8f00f79a6ab711134bac81a3b3f67edcf33cc7c

Download Submit
memory/1732-24-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/1732-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1732-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-60-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1804-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1984-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-95-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2864-93-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2992-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2992-52-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads