floxif | 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97

General

Target

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Size

295KB
MD5

52df9cab71705d8d32c8ca7a96512048
SHA1

db1d09febfdc83b7596a69662a7fb399a0c1a09e
SHA256

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97
SHA512

ba111aec77fc17e531601edd86c1f3fd889fb7fa83a8015c289380c59c2b7f156f9cc83f97070f3862a64e2ecd4a202dd9cfc909135194a0aeae0d9c3f863a3b
SSDEEP

6144:XpLqdufVUEAkC5sqDgJqBV+UdvrEFp7hKXc:5FUEAf2qBjvrEH7uc

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 6 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3532	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1756	icsys.icn.exe
3988	explorer.exe
1428	spoolsv.exe
2312	svchost.exe
1360	spoolsv.exe

Loads dropped DLL 1 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid process

3400 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description ioc process

File opened (read-only) \??\e: 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
File opened (read-only)	\??\e:	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	upx
behavioral2/memory/3400-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3400-69-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description ioc process

File created C:\Program Files\Common Files\System\symsrv.dll 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Drops file in Windows directory 5 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4488 3532 WerFault.exe 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	pid_target	process	target process
4488	3532	WerFault.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exespoolsv.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe icsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies registry class 18 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exe

pid	process
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
1756	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3988 explorer.exe
2312 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

description pid process

Token: SeDebugPrivilege 3400 69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	process
3988	explorer.exe
2312	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

pid	process
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
1756	icsys.icn.exe
1756	icsys.icn.exe
3988	explorer.exe
3988	explorer.exe
1428	spoolsv.exe
1428	spoolsv.exe
2312	svchost.exe
2312	svchost.exe
1360	spoolsv.exe
1360	spoolsv.exe
3532	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
3532	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3400 wrote to memory of 3532	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 3400 wrote to memory of 3532	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 3400 wrote to memory of 3532	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
PID 3400 wrote to memory of 1756	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 3400 wrote to memory of 1756	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 3400 wrote to memory of 1756	3400	69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe	icsys.icn.exe
PID 1756 wrote to memory of 3988	1756	icsys.icn.exe	explorer.exe
PID 1756 wrote to memory of 3988	1756	icsys.icn.exe	explorer.exe
PID 1756 wrote to memory of 3988	1756	icsys.icn.exe	explorer.exe
PID 3988 wrote to memory of 1428	3988	explorer.exe	spoolsv.exe
PID 3988 wrote to memory of 1428	3988	explorer.exe	spoolsv.exe
PID 3988 wrote to memory of 1428	3988	explorer.exe	spoolsv.exe
PID 1428 wrote to memory of 2312	1428	spoolsv.exe	svchost.exe
PID 1428 wrote to memory of 2312	1428	spoolsv.exe	svchost.exe
PID 1428 wrote to memory of 2312	1428	spoolsv.exe	svchost.exe
PID 2312 wrote to memory of 1360	2312	svchost.exe	spoolsv.exe
PID 2312 wrote to memory of 1360	2312	svchost.exe	spoolsv.exe
PID 2312 wrote to memory of 1360	2312	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
"C:\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400
- \??\c:\users\admin\appdata\local\temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
  c:\users\admin\appdata\local\temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2120
    3⤵
    - Program crash
    PID:4488
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1428
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3532 -ip 3532
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\69f5f142de756ad4c292fb7d2006806c1482a7571c0402861d7485d7b1bedc97.exe

Filesize
84KB

MD5
db88cea04959ef0e922c90b53738f37a

SHA1
cdc9e0c6ed27bfc798221cfc7a5316bf45e44493

SHA256
6031b6caa61889583058cfb76401cb7b26c8c739e013835cee9747c0634e9bd8

SHA512
61b69861844e45a671f156f7c391f749a414bd1726e3ab9b80644bc09c4d88941b7cade1b3ccd1a4eb6adf8fa34d9dc20fb0ad34981c5ccc00479d2fb259dd91

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
7518dd4ae5d9410a70ca2496f5ed6523

SHA1
a92042d522634d42c6b4f3c2b0c71deb844154da

SHA256
651934082aca963dfb32ce67a8808c3a27f4dad2407d6da227e540fabb17f011

SHA512
ef8719791a3cded4a90a2aebf4e38d1573cfc2c41cad0aa8a4c8c184817a1ba00834fee464ba04deb8d272d26708214de8fc7e31a4c3c1ed9cabfcd715d375f1

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
fd7f07ce3782f1174ed287d8c64cae2a

SHA1
aa50287c550d501d10166652355d8c7353c1bc39

SHA256
a0850d54d9c7ae00f91b82f8ede3a7b868640ccb8013fa7f9ddee3ac97811adf

SHA512
41012bf68924e588fbc69ad740578e35cdaf1b0c520ae2fac00ee069cfd054765d856b766b768d1c961f4a3f4f743ede0dbb698b946996f2eb537cc0d8d8c654

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1ea592ecfa16f1d84034777317e6a7f9

SHA1
d520238d5c23b2657ff5abad1ec4ece7caff3b1c

SHA256
8d53607336416629dd5816d06e57481f55534f8ddc81bd22784c6859f51c3112

SHA512
334087b648e43ea783a51d28fe485e32de0a6c740739c81c437a48bd363890fcf7cc560cdaebb0e169c33cc5e7bf4899175988ea37a0314974d20c7e4a0bbb8a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
38a30c4c9fc51c30eda65fef5f114716

SHA1
a49f288b1d9c3cf6173a88737a253e68a2b2dd32

SHA256
b25dd347b2d0bed1ba787da7f48131854b1934012e74936f88ef8fa4cce78b80

SHA512
0150f5384f0103bccb136dfc25b8cbec8e374056fdd0d886c51f3c6a0542812a7ab45d9b5d425574ef7518776d5b5e0ed1873b2c88b6b7743cb68b46c9805ce7

Download Submit
memory/1360-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1360-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1428-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3400-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-69-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3400-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3988-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads