Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 20:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe
Resource
win7-20241010-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
29 signatures
150 seconds
General
-
Target
25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe
-
Size
139KB
-
MD5
d6508a76d84af408cd1cd7dffb114172
-
SHA1
839f2eeab0324e4127d3b22a5b29068ad7616033
-
SHA256
25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb
-
SHA512
c131eed0767d715fa017475d2ac8881478a3d59d727da80902e53e847728ae8008a048a30ab2c29dfd5ee8d9ad8fcba2919f631030e528bc71f1ce0038e50a9e
-
SSDEEP
3072:KMQbfOJQ33f8PfJA+R4NvVwFmrtBjMG1fIo:KMKLnU3JAEwVwUrTvIo
Malware Config
Signatures
-
Floxif family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35728\\Ja855720bLay.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O53636Z\\TuxO53636Z.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35728\\Ja855720bLay.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O53636Z\\TuxO53636Z.exe\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35728\\Ja855720bLay.com\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O53636Z\\TuxO53636Z.exe\"" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35728\\Ja855720bLay.com\"" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O53636Z\\TuxO53636Z.exe\"" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" service.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" service.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" EmangEloh.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000012262-2.dat floxif -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" service.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EmangEloh.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe service.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c000000012262-2.dat acprotect -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd winlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd EmangEloh.exe -
Executes dropped EXE 4 IoCs
pid Process 2800 service.exe 2408 smss.exe 2072 EmangEloh.exe 2256 winlogon.exe -
Loads dropped DLL 22 IoCs
pid Process 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2800 service.exe 2792 arp.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2408 smss.exe 2660 arp.exe 2408 smss.exe 2188 arp.exe 2396 arp.exe 2804 arp.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2072 EmangEloh.exe 2072 EmangEloh.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2256 winlogon.exe 2256 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z163 = "C:\\Windows\\sa-754277.exe" EmangEloh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357277TT4 = "C:\\Windows\\system32\\116376534862l.exe" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z163 = "C:\\Windows\\sa-754277.exe" service.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357277TT4 = "C:\\Windows\\system32\\116376534862l.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z163 = "C:\\Windows\\sa-754277.exe" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357277TT4 = "C:\\Windows\\system32\\116376534862l.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z163 = "C:\\Windows\\sa-754277.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357277TT4 = "C:\\Windows\\system32\\116376534862l.exe" EmangEloh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: EmangEloh.exe File opened (read-only) \??\h: EmangEloh.exe File opened (read-only) \??\o: EmangEloh.exe File opened (read-only) \??\h: service.exe File opened (read-only) \??\e: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\z: winlogon.exe File opened (read-only) \??\j: EmangEloh.exe File opened (read-only) \??\j: service.exe File opened (read-only) \??\s: service.exe File opened (read-only) \??\e: winlogon.exe File opened (read-only) \??\j: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\p: service.exe File opened (read-only) \??\z: service.exe File opened (read-only) \??\p: winlogon.exe File opened (read-only) \??\t: winlogon.exe File opened (read-only) \??\e: service.exe File opened (read-only) \??\r: EmangEloh.exe File opened (read-only) \??\q: winlogon.exe File opened (read-only) \??\w: winlogon.exe File opened (read-only) \??\l: EmangEloh.exe File opened (read-only) \??\v: winlogon.exe File opened (read-only) \??\m: smss.exe File opened (read-only) \??\p: smss.exe File opened (read-only) \??\o: winlogon.exe File opened (read-only) \??\z: EmangEloh.exe File opened (read-only) \??\g: EmangEloh.exe File opened (read-only) \??\i: service.exe File opened (read-only) \??\r: smss.exe File opened (read-only) \??\x: smss.exe File opened (read-only) \??\y: winlogon.exe File opened (read-only) \??\u: winlogon.exe File opened (read-only) \??\g: service.exe File opened (read-only) \??\v: service.exe File opened (read-only) \??\w: service.exe File opened (read-only) \??\o: smss.exe File opened (read-only) \??\h: winlogon.exe File opened (read-only) \??\m: winlogon.exe File opened (read-only) \??\l: service.exe File opened (read-only) \??\i: smss.exe File opened (read-only) \??\z: smss.exe File opened (read-only) \??\s: winlogon.exe File opened (read-only) \??\i: winlogon.exe File opened (read-only) \??\v: EmangEloh.exe File opened (read-only) \??\q: service.exe File opened (read-only) \??\g: winlogon.exe File opened (read-only) \??\k: EmangEloh.exe File opened (read-only) \??\t: EmangEloh.exe File opened (read-only) \??\q: smss.exe File opened (read-only) \??\t: smss.exe File opened (read-only) \??\l: winlogon.exe File opened (read-only) \??\y: service.exe File opened (read-only) \??\h: smss.exe File opened (read-only) \??\l: smss.exe File opened (read-only) \??\k: service.exe File opened (read-only) \??\w: EmangEloh.exe File opened (read-only) \??\y: EmangEloh.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\o: service.exe File opened (read-only) \??\r: service.exe File opened (read-only) \??\u: smss.exe File opened (read-only) \??\v: smss.exe File opened (read-only) \??\N: EmangEloh.exe -
pid Process 1284 arp.exe 2756 arp.exe 2188 arp.exe 2912 arp.exe 2792 arp.exe 2396 arp.exe 2176 arp.exe 2660 arp.exe 2804 arp.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll EmangEloh.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\New mp3 BaraT !! .exe service.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Love Song .scr service.exe File opened for modification C:\Windows\SysWOW64\X50234go\Z116376cie.cmd service.exe File opened for modification C:\Windows\SysWOW64\116376534862l.exe service.exe File opened for modification C:\Windows\SysWOW64\X50234go\Z116376cie.cmd winlogon.exe File created C:\Windows\SysWOW64\116376534862l.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\116376534862l.exe winlogon.exe File created \??\c:\Windows\SysWOW64\IME\shared\New mp3 BaraT !! .exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File created C:\Windows\SysWOW64\X50234go\Z116376cie.cmd 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File created C:\Windows\SysWOW64\116376534862l.exe smss.exe File opened for modification C:\Windows\SysWOW64\116376534862l.exe EmangEloh.exe File created C:\Windows\SysWOW64\116376534862l.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File created C:\Windows\SysWOW64\116376534862l.exe 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Windows\SysWOW64\116376534862l.exe 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\X50234go\Z116376cie.cmd smss.exe File opened for modification C:\Windows\SysWOW64\116376534862l.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\X50234go\Z116376cie.cmd EmangEloh.exe File created C:\Windows\SysWOW64\116376534862l.exe EmangEloh.exe File created \??\c:\Windows\SysWOW64\IME\shared\Love Song .scr service.exe -
resource yara_rule behavioral1/files/0x000c000000012262-2.dat upx behavioral1/memory/2380-4-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-59-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2660-75-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-74-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2792-73-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2380-93-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2804-92-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2396-91-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2188-90-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2188-112-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2792-117-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2660-116-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2396-114-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2804-120-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2380-123-0x00000000042D0000-0x00000000042F3000-memory.dmp upx behavioral1/memory/2380-144-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-130-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-128-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-140-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-135-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-190-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-200-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-202-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-259-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-269-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-273-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-275-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-277-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-279-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-297-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-299-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-305-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-307-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2800-362-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-364-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-368-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-366-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-372-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-374-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-376-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-380-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-382-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-384-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2408-388-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2072-390-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2256-392-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\DVD Maker\Shared\RaHasIA .exe service.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\RaHasIA .exe service.exe File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File created C:\Program Files\Common Files\System\symsrv.dll 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Lagu - Server .scr service.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\New mp3 BaraT !! .exe service.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\New mp3 BaraT !! .exe service.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\Lagu - Server .scr service.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Lagu - Server .scr service.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Lagu - Server .scr service.exe File created \??\c:\Program Files (x86)\Google\Update\Download\Titip Folder Jangan DiHapus .exe service.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Titip Folder Jangan DiHapus .exe service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\M35728\Ja855720bLay.com winlogon.exe File opened for modification C:\Windows\M35728\Ja855720bLay.com EmangEloh.exe File created C:\Windows\M35728\EmangEloh.exe winlogon.exe File opened for modification C:\Windows\[TheMoonlight].txt winlogon.exe File opened for modification \??\c:\Windows\Downloaded Program Files\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\SoftwareDistribution\Download\RaHasIA .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\New mp3 BaraT !! .exe service.exe File created C:\Windows\Ti534862ta.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\sa-754277.exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\Lagu - Server .scr service.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\Norman virus Control 5.18 .exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File created C:\Windows\Ti534862ta.exe winlogon.exe File opened for modification C:\Windows\Ti534862ta.exe winlogon.exe File opened for modification C:\Windows\system\msvbvm60.dll EmangEloh.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\Lagu - Server .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\TutoriaL HAcking .exe service.exe File created C:\Windows\M35728\EmangEloh.exe 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Windows\Ti534862ta.exe smss.exe File opened for modification C:\Windows\M35728 service.exe File created C:\Windows\M35728\EmangEloh.exe service.exe File created C:\Windows\Ti534862ta.exe EmangEloh.exe File opened for modification C:\Windows\M35728\Ja855720bLay.com smss.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\Data DosenKu .exe service.exe File opened for modification C:\Windows\sa-754277.exe smss.exe File opened for modification C:\Windows\M35728\Ja855720bLay.com service.exe File created C:\Windows\[TheMoonlight].txt smss.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\TutoriaL HAcking .exe service.exe File opened for modification C:\Windows\Ti534862ta.exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\THe Best Ungu .scr service.exe File created C:\Windows\M35728\smss.exe smss.exe File created C:\Windows\M35728\Ja855720bLay.com smss.exe File created C:\Windows\M35728\smss.exe EmangEloh.exe File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\Blink 182 .exe service.exe File created C:\Windows\system\msvbvm60.dll 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File created C:\Windows\sa-754277.exe smss.exe File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Windows Vista setup .scr service.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\Norman virus Control 5.18 .exe service.exe File opened for modification C:\Windows\M35728 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\Gallery .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\New mp3 BaraT !! .exe service.exe File created \??\c:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\New mp3 BaraT !! .exe service.exe File created C:\Windows\M35728\smss.exe 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Windows\M35728\Ja855720bLay.com 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe File opened for modification C:\Windows\M35728 winlogon.exe File opened for modification C:\Windows\sa-754277.exe winlogon.exe File opened for modification C:\Windows\[TheMoonlight].txt EmangEloh.exe File created C:\Windows\M35728\EmangEloh.exe EmangEloh.exe File created \??\c:\Windows\Downloaded Program Files\New mp3 BaraT !! .exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EmangEloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2072 EmangEloh.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe Token: SeDebugPrivilege 2800 service.exe Token: SeDebugPrivilege 2408 smss.exe Token: SeDebugPrivilege 2660 arp.exe Token: SeDebugPrivilege 2792 arp.exe Token: SeDebugPrivilege 2396 arp.exe Token: SeDebugPrivilege 2188 arp.exe Token: SeDebugPrivilege 2804 arp.exe Token: SeDebugPrivilege 2072 EmangEloh.exe Token: SeDebugPrivilege 2256 winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 2408 smss.exe 2800 service.exe 2256 winlogon.exe 2072 EmangEloh.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1284 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 30 PID 2380 wrote to memory of 1284 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 30 PID 2380 wrote to memory of 1284 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 30 PID 2380 wrote to memory of 1284 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 30 PID 2380 wrote to memory of 2396 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 32 PID 2380 wrote to memory of 2396 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 32 PID 2380 wrote to memory of 2396 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 32 PID 2380 wrote to memory of 2396 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 32 PID 2380 wrote to memory of 2176 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 33 PID 2380 wrote to memory of 2176 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 33 PID 2380 wrote to memory of 2176 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 33 PID 2380 wrote to memory of 2176 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 33 PID 2380 wrote to memory of 2756 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 34 PID 2380 wrote to memory of 2756 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 34 PID 2380 wrote to memory of 2756 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 34 PID 2380 wrote to memory of 2756 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 34 PID 2380 wrote to memory of 2188 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 35 PID 2380 wrote to memory of 2188 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 35 PID 2380 wrote to memory of 2188 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 35 PID 2380 wrote to memory of 2188 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 35 PID 2380 wrote to memory of 2792 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 36 PID 2380 wrote to memory of 2792 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 36 PID 2380 wrote to memory of 2792 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 36 PID 2380 wrote to memory of 2792 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 36 PID 2380 wrote to memory of 2912 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 41 PID 2380 wrote to memory of 2912 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 41 PID 2380 wrote to memory of 2912 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 41 PID 2380 wrote to memory of 2912 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 41 PID 2380 wrote to memory of 2804 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 42 PID 2380 wrote to memory of 2804 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 42 PID 2380 wrote to memory of 2804 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 42 PID 2380 wrote to memory of 2804 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 42 PID 2380 wrote to memory of 2660 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 44 PID 2380 wrote to memory of 2660 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 44 PID 2380 wrote to memory of 2660 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 44 PID 2380 wrote to memory of 2660 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 44 PID 2380 wrote to memory of 2800 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 48 PID 2380 wrote to memory of 2800 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 48 PID 2380 wrote to memory of 2800 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 48 PID 2380 wrote to memory of 2800 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 48 PID 2380 wrote to memory of 2408 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 49 PID 2380 wrote to memory of 2408 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 49 PID 2380 wrote to memory of 2408 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 49 PID 2380 wrote to memory of 2408 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 49 PID 2380 wrote to memory of 2072 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 50 PID 2380 wrote to memory of 2072 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 50 PID 2380 wrote to memory of 2072 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 50 PID 2380 wrote to memory of 2072 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 50 PID 2380 wrote to memory of 2256 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 51 PID 2380 wrote to memory of 2256 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 51 PID 2380 wrote to memory of 2256 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 51 PID 2380 wrote to memory of 2256 2380 25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe"C:\Users\Admin\AppData\Local\Temp\25f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 54-e2-f6-db-65-c72⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 a7-47-fb-10-93-902⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\arp.exearp -s 154.61.71.51 dd-eb-68-31-51-6e2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 ca-c4-64-b5-4b-c32⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 20-af-65-a5-c4-f12⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 ea-c3-3d-1d-e7-102⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 2a-4e-9d-9f-2c-fa2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 02-40-c4-59-c5-fc2⤵
- Loads dropped DLL
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O53636Z\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O53636Z\service.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\M35728\smss.exe"C:\Windows\M35728\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
C:\Windows\M35728\EmangEloh.exe"C:\Windows\M35728\EmangEloh.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2072
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O53636Z\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O53636Z\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5d6508a76d84af408cd1cd7dffb114172
SHA1839f2eeab0324e4127d3b22a5b29068ad7616033
SHA25625f991d45930652cd1cb9b344f43954a24087940e99ac05d183d3f282cf313fb
SHA512c131eed0767d715fa017475d2ac8881478a3d59d727da80902e53e847728ae8008a048a30ab2c29dfd5ee8d9ad8fcba2919f631030e528bc71f1ce0038e50a9e
-
Filesize
109B
MD568c7836c8ff19e87ca33a7959a2bdff5
SHA1cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA5123656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.3MB
MD577d7f1d5cc52f1a672bb35e4d7c31549
SHA1fb34f32306a653d3156964ca8f1c0c5d3fb4b8d9
SHA256acb0875385a237b0ad07323c4ca081df88c6649efe1b805817dc8ab91a07f22b
SHA512361f43a62253558c9fe5d31446bdc340922a0d5c870e716b2c22d5c4b1b95ade64a6d953ab54ad6090895a14ed081ddf98cff0d2fd244a2f8f84b8e7e439414c
-
Filesize
71KB
MD51458e1451cf701b363c99cfb81317789
SHA10dc90bc9a49f5d973e1649c0db09087ef3e0bb3f
SHA256ace427ef87c8c1a9457e122c787d0b0c3b5a04d45f6df4d9a337e215def47c13
SHA512b9ac9af373a93c6db20000bfe4d8c85a9df0c97a15d4989501f719a84f0cef2b72d3697a9a8b927b1cdc9a687cde6f1603fc9e5ba6bc4f63d461a8fadfd67e34
-
Filesize
59KB
MD500bab82a8c391d7fd51c4c6a550b1dac
SHA147a37f6af7baccedfc6898161ea25171496a9fb9
SHA256a18fe7f2aa757c497721335225e00bb1b9c3f7ecea167fa9f9a3426a9d2b86fa
SHA5127f8f74b7d6ba0f6e9ceadd00420f809080d91ce646ffb87b90572bcb5148abd552986f8300cec741ffcf72dfc3e611d25490aced8587d607158044b71d4e89c0