c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
299s
max time network
305s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

safeinf.exe
Size

702KB
MD5

a0a45b5de3c04e4c659395857bee3ead
SHA1

bdf4e7315bddb3fa7ae86dda5049b30cdc648dea
SHA256

add92cb6047f2fb412dcbcb5a2d8ee7fad56091ccd6667105d977b010a33b561
SHA512

b8f3d847a19dc7615a9cbf30dfe6cbf344045e6f5510863ec9bbf1fdb171a146e1ffbc44cb7a5cb08862ed78b1bcee72f99d6e792b82f70f41494a0a0071d0da
SSDEEP

12288:dXmwRo+mv8QD4+0N46glpxInQMUmO+NWJUaS5plVvj9fOOIAxHfoeYJO/:dX48QE+UiK6P+YeXplpXIS/oXS

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

flashplayer.exeflashplayer.exeflashplayer.exeflashplayer.exe

pid process

2496 flashplayer.exe
2804 flashplayer.exe
2588 flashplayer.exe
2228 flashplayer.exe
Loads dropped DLL 5 IoCs

Processes:

safeinf.exeflashplayer.exeflashplayer.exe

pid process

1632 safeinf.exe
1632 safeinf.exe
2804 flashplayer.exe
2804 flashplayer.exe
2588 flashplayer.exe

pid	process
2496	flashplayer.exe
2804	flashplayer.exe
2588	flashplayer.exe
2228	flashplayer.exe

pid	process
1632	safeinf.exe
1632	safeinf.exe
2804	flashplayer.exe
2804	flashplayer.exe
2588	flashplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

flashplayer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\flashplayer.exe"	flashplayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

flashplayer.exeflashplayer.exe

description	pid	process	target process
PID 2496 set thread context of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2588 set thread context of 2228	2588	flashplayer.exe	flashplayer.exe

Drops file in Program Files directory 5 IoCs

Processes:

flashplayer.exesafeinf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\flashplayer.exe	flashplayer.exe
File created	C:\Program Files (x86)\TSIFJYXOFP.KAK	flashplayer.exe
File opened for modification	C:\Program Files (x86)\TSIFJYXOFP.KAK	flashplayer.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe	safeinf.exe
File created	C:\Program Files (x86)\flashplayer.exe	flashplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

safeinf.exeflashplayer.exeflashplayer.exeflashplayer.exeflashplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	safeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashplayer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

flashplayer.exe

pid process

2804 flashplayer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

flashplayer.exeflashplayer.exe

pid process

2496 flashplayer.exe
2588 flashplayer.exe

pid	process
2804	flashplayer.exe

pid	process
2496	flashplayer.exe
2588	flashplayer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

safeinf.exeflashplayer.exeflashplayer.exeflashplayer.exe

description	pid	process	target process
PID 1632 wrote to memory of 2496	1632	safeinf.exe	flashplayer.exe
PID 1632 wrote to memory of 2496	1632	safeinf.exe	flashplayer.exe
PID 1632 wrote to memory of 2496	1632	safeinf.exe	flashplayer.exe
PID 1632 wrote to memory of 2496	1632	safeinf.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2496 wrote to memory of 2804	2496	flashplayer.exe	flashplayer.exe
PID 2804 wrote to memory of 2588	2804	flashplayer.exe	flashplayer.exe
PID 2804 wrote to memory of 2588	2804	flashplayer.exe	flashplayer.exe
PID 2804 wrote to memory of 2588	2804	flashplayer.exe	flashplayer.exe
PID 2804 wrote to memory of 2588	2804	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe
PID 2588 wrote to memory of 2228	2588	flashplayer.exe	flashplayer.exe

C:\Users\Admin\AppData\Local\Temp\safeinf.exe
"C:\Users\Admin\AppData\Local\Temp\safeinf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe
  "C:\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe
    "C:\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\flashplayer.exe
      "C:\Users\Admin\AppData\Local\Temp\flashplayer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\flashplayer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\flashplayer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Èíôîðìàöèîííûå òåõíîëîãèè ÐÔ\Àðõèâíûé âèäåî äîêóìåíò\flashplayer.exe

Filesize
702KB

MD5
7d94eab0bb8f903dece55008ae664d05

SHA1
45681acbc90420ac79e2c3c8583edc18d0184e09

SHA256
bc50c7da476e517a6c5b0fbecf7d45a7da4b10f5692ae40fa3b5b35db6d36577

SHA512
bc33221f6fef7cee39b12cf6ea399c68e441dfb7519a1069d0cf5de1bd20d687d8e653a56ba1b7a01df16ac0f6486c003dd884252534140dce8409d6754fa503

Download Submit
memory/1632-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-62-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-63-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-80-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-48-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-52-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-53-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-54-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-57-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-58-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-59-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-60-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-61-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-65-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-66-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-67-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-68-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-69-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-70-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-64-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-72-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-73-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-74-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2228-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2804-27-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2804-23-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2804-26-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2804-38-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2804-25-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download