Resubmissions
07-12-2024 20:25
241207-y7mtmsxldk 10Analysis
-
max time kernel
85s -
max time network
60s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
07-12-2024 20:25
General
-
Target
flash_decompiler.exe
-
Size
26.9MB
-
MD5
3ccc94c98531d1389f3d1ed06d64f081
-
SHA1
dfbd71b2f0c9b2af5a643f597b04d1d933ff71a0
-
SHA256
8702aca7ecd0552f596d6af97c397ffead6302182d8c87ae8dd3feea9dd8a5b4
-
SHA512
8563141763b22da9e790ed49544f10a6cb52dbdcebb8082cb8997ebb966c949e88c64be7e260b84df4f5d8079fc270b95912d84b7433af60003b70fdedc75398
-
SSDEEP
786432:wa0DgoQ4T3vo3YcjGC8qq7ABxE9RUUuCS8G:waygoZTkjG0BxOZG
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 23 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Drops file in System32 directory 15 IoCs
-
Drops file in Program Files directory 39 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 24 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp"C:\Users\Admin\AppData\Local\Temp\is-BRJHE.tmp\flash_decompiler.tmp" /SL5="$50228,27643739,119296,C:\Users\Admin\AppData\Local\Temp\flash_decompiler.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\tools\install_flash_player_14_active_x.exe" /install3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe"C:\Users\Admin\AppData\Local\Temp\{072742B8-6E1B-4140-97D3-91292A8A79D9}\InstallFlashPlayer.exe" -install -skipARPEntry -iv 1 -au 42949672954⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Network Service Discovery
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -install4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"C:\Program Files (x86)\Eltima Software\Flash Decompiler Trillix\FlashDecompiler.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004841⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b4715ca0f9f08fde8c82ffb89b455460
SHA1c789d6a8f4b0dae97ebda5b99af7bf1a337882aa
SHA25600b4e9748dfbdecca3bb3500768bb5e26d7de06ba81050ff0abec35e57517a45
SHA512961dfd1652b828a7d2e6940908b237adc93559f6f2048026b62bcd46ca38cc0d8d06dacfdaffa381236ddc787a90ce0b5d7f82793474778f494c60b431b6b61f
-
Filesize
6.2MB
MD5180990e3ecf117281e5f270700ce9f07
SHA1b6c27f55dd4b45f62d21db2030f5d5f1b78c89ba
SHA256bb476cc25abd354478005d594c25ea61cf1f9b7dee977c9873aae0f128cd47da
SHA512f2e5a8c3a763338be61b1f647410bcb68aa0be0c9e1e8546cca21153f2defe1b11baa650e129edf1649f47a8c3ebf3ecc9699591555971c92795323fa265d5c6
-
Filesize
2.7MB
MD57ce4c8d8c43dadebee3a83d9e4aa37b9
SHA19e8ee1a9be72dc03fce99316253ddb9e8b42f279
SHA2560fb7a0e27e5b6aca0fb04d6161c43d8ffb9f3e7c0d9c416b308c1a58ef7ac0aa
SHA5120b21cd8b7c3b92101ec11236d7e3f68ddccf23b317bca1854849d34e67469e349c8a75ecc6b978bc046fcd70270f3125c6eacdd12dea09c042edd536a4c8a123
-
Filesize
630KB
MD55903c75593c744acd1c49d290bb24fe1
SHA113014411f3d6d16926c96fdd6e89253ed55ba250
SHA256a974a051e8d26dbe0a672e710f9b3ab71d1407580301fa7d64d35eef96cd7056
SHA512201e820fc80c8d2f44ac0483b91bb40383cef534a692c85872142b7b39ea29bf85151b13a41d5d97a10767facc8e9f8a49e333daee43a73a7d0f815b6362ee4b
-
Filesize
99KB
MD5d7cfb561dc0170a3db0c9352b31a06f2
SHA184f0ee0f528fd2368951430a7ad63dc441963e45
SHA256a23151c333250549de42b83c6aff06c0880ed829331c9cafa158d1b39a4c58ff
SHA512eb541e663ed6ab9ee41ad7ea16997d63b1b586d3b78a7a9d4bc78f651dbdd5b5263f3b39c0dc85736cdd67d150739872a87511bfdd45ac120c9297bfffb3b6df
-
Filesize
286KB
MD50a9b1ff3db39aeba0ba1ce1eca3bc62b
SHA13d21ec0d2ffe3a5b122cc165f34067c45ef5a126
SHA256ca6af76acd53124c033648369d31268723398d5c3422113fc59e9dc630d17f91
SHA512a4cd4f513db67c48e8eb1ade323302430a11285e8e3b90b0c4394bc63bd9957373ad0d64bca2458cec8a0c5edfcf57459fc378dcded2e22e9468c1e2d34d8a6d
-
Filesize
151KB
MD5c9ea8c737889cd4f87b72b06239d4a4f
SHA1b6dae6ac26725f3e23fd2f184c490a8dd489bc42
SHA256513381fbbd4950c172699070af6a45c8c3193488e26202e33df4397f45816730
SHA512bc999121aac043d445a21fe4d18d8122dc46ae9c672c647f773d9d9dfc10a00a2735616706c75363d0ec52a9731434221a695fc5b94e49b850d88112e6601489
-
Filesize
17.7MB
MD5f84400792447ebf6adaa615bcf149eb5
SHA116231b509d8e689dc34ae36597d41c4fb1b3a67e
SHA256cb3043490ce4bf1210098746af8be5a19e7a6d5ae153d34636efbe4bf9af3ef8
SHA512edf5193b6058c949766d545e7fad87db03fd1eaed5e9d75caed4bbda13ec560a67957391930e582c82c9005023db73585e722b6bc31f9fb0d36cb903be8a7efe
-
Filesize
811KB
MD539a58b195a0c0c3fc7fa104e9e8ff2fa
SHA10da735a8d3db03b405ccf5ab0ebea5827cf4a564
SHA25607e0e16492f4a8bff66b92622062c4950b05a64c879731523d643bbc0b94d78a
SHA5129ade4be4618353500cb05c372668d56a941eb8a3aac7348df684d3362fd0e508dbabe8bf78dddafe90b99be0ca90a0990005d41f5a5726c2dc57a6bc5958d5e7
-
Filesize
535KB
MD527ee9e17cb9c15d526e81c2a5e4f3524
SHA103ab26767124533b11ae46eca68ae861c32d0b5f
SHA25672c39bda39402e786a1e77043435758c4742d43dd84dbf839b5bbffc5f4c56e4
SHA51298e89b84782318f5fc771b73fd804664770fbdba4018ebd1bd78b89346a29d1988b490b2703f72bf7650f1065136aec142a16bd452615fe089527eaab18d02af
-
Filesize
60B
MD535e1ba488afb8750e88202c2725276c7
SHA1542113bc9038aaf39ae80026d732b3bdbe10db37
SHA256362b352cab09d9ab37d5558e8283652e747be017369d05b5a517a61765ccaf34
SHA512bb72bafd23d82be55fad592fefcb367b128b8d2ac4ebb706af093b5d1b8513d4bcb4b25c2b088f6e025e550f0944edd972fb6d0f0c4c57bc119e66bbb653b4b0
-
Filesize
55B
MD56f4a6f22eb4e1d9c0af83b8e413e88b8
SHA1aae506ed4366c5490c6acd9f7a466f135111d743
SHA2567f21b4b275cf9d504c05ad6eb3b0cd26e499980d0dba4e52cfc09bd838c1871b
SHA512e7b8a572ba0aacc00ad98517ad1fd84bf30cd09f3ebd3ed66b13bcba24dc95833a537e3b2d8ed9bd4387187aedec20dd14e0da03dc2c598705992e669bd4fa8b
-
Filesize
146B
MD59a6105db95a1f696dde644892a6c37f6
SHA17e3c3ea52d2239d9535eed58b1a9faebad56742e
SHA256faec55ed22d3f68f913dd61be99ab24649de6a5e8d899a363df29c14ee1777d8
SHA512a82e85c32ac7ee8f04ca3276794f12d55b5806dba4ca471923472d5fd15a0d539b2f748e626a1e5d776e197e2a9af71d40dfa792d78ad115402345857effc8d2
-
Filesize
146B
MD56eb7b17abd9b9ce9209a820209e643c4
SHA114942a2b7af3d2a7f767712778699bb0007851a7
SHA256ab6d6162c9cccca1fdbfcb68511fc6852ba6d300daf25006dc0e3369956273fb
SHA51293cd7613f937dd7a5a9b9da6a4ab4a70a1c940eaf2d84efe1d2ce6b49fc400edadeacb1b0102d971ae575cad88bf56acab19ce08684f8b9765b7a61dbc7cc614
-
Filesize
146B
MD53b0d922ebbcf98dc56ba0bbc47c957a3
SHA1e646bb5b28dd27ba7cdca8001ac1ca23d2da93df
SHA256c40467a1eee6fda91bba0497995adf731549e4b1e0686672675525ac8445b904
SHA512a99b661565a30c8c98e097309c96a066ccc8868ed411f4c0a28c5744267e2e7274be4e8f457e77f5acea2b84cfdf1ba98ceb6f664e4d3b99a60f784f5ca47fbe
-
Filesize
146B
MD59557bcb8d2bad82b11cf78c0e5e0ad8f
SHA1db36dc3c03f373ed167c44f9676ed2e1be48320f
SHA2564a318bdf83e3575aae0167ba400c286aef79456f4b568fc4415a46ebfadb301f
SHA5126fa4f0c153b65e0dc08ff7d04e86f2d77c78f6a1e8289061847bb1ff1429600c3ebb9ee26a908ffd16c7014394eef50fcd34662a1680102d4331d4ec80931ba4
-
Filesize
146B
MD5aaef029536c13a35d304cdf49a9e805a
SHA11085c23fb8d1c53598b9cd5fe4f7723e418279d0
SHA256bde6f71972446a2b4b9da1c764c50a87a428ff899d4b224d95ef880dc50e0309
SHA512dbdb6056a87138bf8d0476c4751aa2ceb5fdb3ed376cf6001acdb6df07b573e2000c433778cd6a6f33f0abf3c4d24daf8c2cfa864c73b41525f607f04c59ed4e
-
Filesize
146B
MD58a306cd59357e2fe1c530925db78fa78
SHA1e7728b88b7eb579e9949c0010ad5f42052276548
SHA256bb7b720355e32bf300e912ae5bbfc82fc05747bc7dd65f356b49113d57a8e788
SHA512d214ca3c0bcbeaa3f43d5873304d76f43723365a4d884d9a7ff48f9fb50bf66b44388e0991eb04c3a1e4ec7b036814f954ac3800c22231814c6d813deafd48f2
-
Filesize
1.1MB
MD5c9cf73dd30f17a16fdc1c96aea79c75d
SHA173572ec70cc6dbe8096da804c1d1e7fb3cc0baab
SHA256ba46791872b52dd5b8669c60e3b0ed77b3c9fac4c12c228130bad6db6c3380f9
SHA512e1fd8a1d65c60dedcfdcb10cf028fab51e96a8dc6442f7af5073a86a1373dd30b6e35f4e6c64d590ca0131de5146500cde00f2b72927fd48e7b835a47fa0e942
-
Filesize
8.9MB
MD5734b50e3625e44791d0cb607422c2a85
SHA188ba4d5b9e5a01714ae85b82c3c6ec73833ccfbf
SHA2563fd01a451c76e699b4e87dfd29d8fb84800eebddcd3c2976691193947fab9467
SHA5128ccc2e973b88b4dbab531a59c1298b7ee49a78e1dac1aad6bb2f4b5489356fb3bc3d53ef779d4b22c97462e4e1af6f03d4d4e38b9a7738ead389920e5c62a77f
-
Filesize
501KB
MD57805e5fd154a06c713fe9c6e3d4f02c9
SHA1757b51d549a72a6157bcef7cbed38058c303c61c
SHA2562d40a95b58ca7db3b11a7b73079e856074c3fd76c4e0f9d7c2741c5ecadd242e
SHA51236201753349b94d5216bd56f2b2af240544654c4c3def195dfae74efe5b893cae25e6653d831be18c03b98a67f8413c3b607200ee9b4562a5f4d4ccaea7bbde4
-
Filesize
525KB
MD59d08e472e123b7701e90ca38168a8fb5
SHA13811ca63a36ea3128e50ab16edcf126f238b20a7
SHA256c14c86a7b7b3b72644b9cd212ccc128e0a0a34dd20dc7d0a4d4fc8580dd36ade
SHA5129341850fe1ba838dd54f4c985679f90dfd804c1149c85dce1a362dd7ebc8b336f448ca02d30bad4d91ba22f43b00e975e1d6551bf3329f27afc7dae571cf5e90
-
Filesize
553KB
MD569a24367f48f7984a5b343551a171072
SHA1082182f7419175e62f28bf18f97210a1e0117fe1
SHA2566ac3e542dfb2b06fcb7771211e9c392e72bbe690982cb4cbdd810949587b2c42
SHA512ef8b50ba4fc402b92b4c14e1e259c861c8da26e0e2be61b3275fefb2cd6e66362cb81d8cd989bb41496e6641977da4c7c05031f2055ecffdba9eaa23c6203ed3
-
Filesize
831KB
MD5e23251f56bd9de8dd18a8d68885dab78
SHA184358654fd43202d39c342cc394f3dc88fcabe03
SHA25691d6e2237a156e502c4f2041ca3ff38d769b2003384cdfaa51f227f3e9b5ab25
SHA51232f45ee1217aef553b11584212e15b73fbe04a2aece882d1cd2b39b0232160ffd42958d7f0d4c7d6b8efeec41af550ac53d3c39a08f1af36ecd419d40dc521d4
-
Filesize
16.3MB
MD5224abf3a6e87b978da13457246f3089b
SHA1a3702389e1dba21ecc408c352feee32e2afa6deb
SHA25689fac246784237bb1af6944883eefba6d9475fd824595bcde57743ddac918511
SHA51210740e3a6b3343f6db89eda8d186afb54127bd7fcb8b4b0c750fecbb6fc7a05b466c358373ce80b0b135a6988fa431996abeff4ba792efe97c7013f9b40ed5f6
-
Filesize
256KB
MD59e5197d65ba34a4db45b8befc3288c23
SHA1e7a6227ee35d0e7a559bee8431ac9951526f7936
SHA256ebbe6126b6b73616032f8e1731642e35c6cb6b395ef74bccb781cae076ee8434
SHA512e3e350b973f18d711dd02c53cf10be6cff82b593c96d54809595ecfad6cbd080734e0f59144ee107115897c753c57010f13ecf175b73b5bbb3e711e924009216
-
Filesize
1.5MB
MD5d3df1022c8caacba253ebfb4eb593a66
SHA11720b3dd6004c8240e657147341bb7e6d07134e6
SHA25626e2b59d2b3df2db5e95e17a29e5a7a9968a188cea67c956d804fd94f0a5dafb
SHA51216bc1e0cd7e7bdbbb3212e4b7a76f3d6ef9c2b77a258110caf6c083d84a080ccf458056e0678f68581ccdc0840ae85d188b58dc40c143fd3ea348b26a3beffc8
-
Filesize
22.6MB
MD52d70c6bfe45293ad77679b597d48dc8f
SHA14179ce679fdc31ac4a1210f294b6c7b885b0764d
SHA25688efae613403eb3979eb6eaa148bd50bd9b5f70a1b64f53625cb1c0917ad999a
SHA51252f26b09485e97f305b5ad5707db5283cb3275ad0f8684b205995591e1e1ac5e6bf6edffa90d940da1938fd61621d815b3b8e6bb2e9debcdc73cebf5ab2a4cad
-
Filesize
5.8MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
856KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
5.8MB
-
Filesize
17.4MB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
152KB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
1.4MB
-
Filesize
5.8MB
-
Filesize
5.8MB
-
Filesize
152KB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
1.4MB
-
Filesize
17.4MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
23.5MB
-
Filesize
17.4MB
-
Filesize
17.4MB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
68KB