Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
29 signatures
120 seconds
General
-
Target
4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
-
Size
147KB
-
MD5
84258a1a91ec3a19670b5a4fa3488320
-
SHA1
97bb1a0a25487979a5fd44b2f06fff2d34b11699
-
SHA256
4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756
-
SHA512
f2e4346f572745118ce38f221c058a6419d4e1cb8af2f640773c5867a6883152fc81e500e6c060529cfb82138b852f8a25e12de37ee1e190398105034fc276bf
-
SSDEEP
3072:rkSY60bf9KlHF3w9BKJQ33f8PfJA+R4NvVwFmrtBjT1fIU:dYXUP3wLPnU3JAEwVwUrTFIU
Malware Config
Signatures
-
Floxif family
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M71373\\Ja401375bLay.com\"" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O18281Z\\TuxO18281Z.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M71373\\Ja401375bLay.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O18281Z\\TuxO18281Z.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M71373\\Ja401375bLay.com\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O18281Z\\TuxO18281Z.exe\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M71373\\Ja401375bLay.com\"" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O18281Z\\TuxO18281Z.exe\"" service.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" service.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" service.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000012118-2.dat floxif -
Disables RegEdit via registry modification 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" EmangEloh.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" service.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe winlogon.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000012118-2.dat acprotect -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd EmangEloh.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd winlogon.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd service.exe -
Executes dropped EXE 4 IoCs
pid Process 2920 service.exe 1196 smss.exe 1620 EmangEloh.exe 2980 winlogon.exe -
Loads dropped DLL 14 IoCs
pid Process 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 2920 service.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1196 smss.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1620 EmangEloh.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 2980 winlogon.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1713733TT4 = "C:\\Windows\\system32\\562732180417l.exe" service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T81Z627 = "C:\\Windows\\sa-310733.exe" service.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1713733TT4 = "C:\\Windows\\system32\\562732180417l.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T81Z627 = "C:\\Windows\\sa-310733.exe" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1713733TT4 = "C:\\Windows\\system32\\562732180417l.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T81Z627 = "C:\\Windows\\sa-310733.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1713733TT4 = "C:\\Windows\\system32\\562732180417l.exe" EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T81Z627 = "C:\\Windows\\sa-310733.exe" EmangEloh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: smss.exe File opened (read-only) \??\l: smss.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\s: winlogon.exe File opened (read-only) \??\z: winlogon.exe File opened (read-only) \??\v: service.exe File opened (read-only) \??\u: EmangEloh.exe File opened (read-only) \??\l: service.exe File opened (read-only) \??\u: smss.exe File opened (read-only) \??\i: EmangEloh.exe File opened (read-only) \??\o: EmangEloh.exe File opened (read-only) \??\p: service.exe File opened (read-only) \??\i: smss.exe File opened (read-only) \??\o: smss.exe File opened (read-only) \??\t: smss.exe File opened (read-only) \??\l: EmangEloh.exe File opened (read-only) \??\g: service.exe File opened (read-only) \??\t: service.exe File opened (read-only) \??\p: smss.exe File opened (read-only) \??\j: EmangEloh.exe File opened (read-only) \??\w: EmangEloh.exe File opened (read-only) \??\h: winlogon.exe File opened (read-only) \??\m: winlogon.exe File opened (read-only) \??\p: winlogon.exe File opened (read-only) \??\z: service.exe File opened (read-only) \??\q: smss.exe File opened (read-only) \??\w: smss.exe File opened (read-only) \??\e: EmangEloh.exe File opened (read-only) \??\p: EmangEloh.exe File opened (read-only) \??\t: EmangEloh.exe File opened (read-only) \??\x: EmangEloh.exe File opened (read-only) \??\i: winlogon.exe File opened (read-only) \??\e: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\v: EmangEloh.exe File opened (read-only) \??\t: winlogon.exe File opened (read-only) \??\s: service.exe File opened (read-only) \??\u: service.exe File opened (read-only) \??\m: EmangEloh.exe File opened (read-only) \??\s: EmangEloh.exe File opened (read-only) \??\j: winlogon.exe File opened (read-only) \??\v: winlogon.exe File opened (read-only) \??\k: smss.exe File opened (read-only) \??\v: smss.exe File opened (read-only) \??\g: EmangEloh.exe File opened (read-only) \??\y: EmangEloh.exe File opened (read-only) \??\x: winlogon.exe File opened (read-only) \??\k: service.exe File opened (read-only) \??\o: service.exe File opened (read-only) \??\z: smss.exe File opened (read-only) \??\e: winlogon.exe File opened (read-only) \??\r: winlogon.exe File opened (read-only) \??\w: winlogon.exe File opened (read-only) \??\e: service.exe File opened (read-only) \??\w: service.exe File opened (read-only) \??\y: winlogon.exe File opened (read-only) \??\j: smss.exe File opened (read-only) \??\m: smss.exe File opened (read-only) \??\r: smss.exe File opened (read-only) \??\y: smss.exe File opened (read-only) \??\N: EmangEloh.exe File opened (read-only) \??\o: winlogon.exe File opened (read-only) \??\u: winlogon.exe File opened (read-only) \??\i: service.exe -
pid Process 2924 arp.exe 2556 arp.exe 2124 arp.exe 1648 arp.exe 1520 arp.exe 2664 arp.exe 2496 arp.exe 2768 arp.exe 2232 arp.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\562732180417l.exe service.exe File opened for modification C:\Windows\SysWOW64\X15780go\Z562732cie.cmd EmangEloh.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\X15780go\Z562732cie.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\562732180417l.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\X15780go\Z562732cie.cmd smss.exe File opened for modification C:\Windows\SysWOW64\X15780go\Z562732cie.cmd service.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr service.exe File created \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr service.exe File opened for modification \??\c:\Windows\SysWOW64\IME\shared\New mp3 BaraT !! .exe service.exe File created C:\Windows\SysWOW64\562732180417l.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created C:\Windows\SysWOW64\562732180417l.exe EmangEloh.exe File created C:\Windows\SysWOW64\562732180417l.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\562732180417l.exe EmangEloh.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created C:\Windows\SysWOW64\562732180417l.exe smss.exe File opened for modification C:\Windows\SysWOW64\562732180417l.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll EmangEloh.exe File created \??\c:\Windows\SysWOW64\IME\shared\New mp3 BaraT !! .exe service.exe File created C:\Windows\SysWOW64\X15780go\Z562732cie.cmd 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification C:\Windows\SysWOW64\562732180417l.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\562732180417l.exe service.exe -
resource yara_rule behavioral1/memory/1968-4-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/files/0x0007000000012118-2.dat upx behavioral1/memory/1196-72-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-69-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-107-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-112-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1968-115-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1968-106-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-234-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-235-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-256-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-277-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-302-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-300-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-322-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-326-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-324-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-320-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-374-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-380-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-378-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-376-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-426-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-428-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-430-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-432-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-458-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-456-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-460-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-462-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-508-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-510-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-512-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2980-514-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/2920-560-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-562-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-564-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1196-592-0x0000000010000000-0x0000000010033000-memory.dmp upx behavioral1/memory/1620-594-0x0000000010000000-0x0000000010033000-memory.dmp upx -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THe Best Ungu .scr service.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THe Best Ungu .scr service.exe File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr service.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\Lagu - Server .scr service.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Lagu - Server .scr service.exe File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr service.exe File created C:\Program Files\Common Files\System\symsrv.dll 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\Love Song .scr service.exe File created \??\c:\Program Files\DVD Maker\Shared\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr service.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\TutoriaL HAcking .exe service.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\RaHasIA .exe service.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\TutoriaL HAcking .exe service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\M71373\smss.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created C:\Windows\sa-310733.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification C:\Windows\sa-310733.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created C:\Windows\sa-310733.exe winlogon.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\Data DosenKu .exe service.exe File created \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\Lagu - Server .scr service.exe File created C:\Windows\sa-310733.exe smss.exe File created C:\Windows\M71373\Ja401375bLay.com smss.exe File opened for modification C:\Windows\M71373\Ja401375bLay.com winlogon.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\TutoriaL HAcking .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\New mp3 BaraT !! .exe service.exe File created C:\Windows\Ti180417ta.exe winlogon.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\Gallery .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\THe Best Ungu .scr service.exe File opened for modification C:\Windows\M71373\EmangEloh.exe service.exe File opened for modification C:\Windows\[TheMoonlight].txt winlogon.exe File opened for modification C:\Windows\Ti180417ta.exe EmangEloh.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\Gallery .scr service.exe File created \??\c:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\Data DosenKu .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\Lagu - Server .scr service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\Love Song .scr service.exe File created C:\Windows\Ti180417ta.exe smss.exe File opened for modification C:\Windows\Ti180417ta.exe smss.exe File created C:\Windows\M71373\EmangEloh.exe service.exe File created \??\c:\Windows\Downloaded Program Files\Love Song .scr service.exe File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Blink 182 .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\THe Best Ungu .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\Gallery .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\RaHasIA .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\Blink 182 .exe service.exe File opened for modification C:\Windows\M71373 service.exe File opened for modification C:\Windows\M71373 EmangEloh.exe File created C:\Windows\M71373\EmangEloh.exe EmangEloh.exe File opened for modification C:\Windows\M71373\Ja401375bLay.com EmangEloh.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\RaHasIA .exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created C:\Windows\M71373\EmangEloh.exe winlogon.exe File opened for modification C:\Windows\[TheMoonlight].txt service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\Lagu - Server .scr service.exe File created \??\c:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\Blink 182 .exe service.exe File created C:\Windows\M71373\EmangEloh.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File created C:\Windows\sa-310733.exe service.exe File opened for modification C:\Windows\system\msvbvm60.dll EmangEloh.exe File opened for modification \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Titip Folder Jangan DiHapus .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\Blink 182 .exe service.exe File opened for modification C:\Windows\M71373\Ja401375bLay.com smss.exe File created C:\Windows\Ti180417ta.exe service.exe File opened for modification C:\Windows\M71373\EmangEloh.exe winlogon.exe File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Norman virus Control 5.18 .exe service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\Titip Folder Jangan DiHapus .exe service.exe File created C:\Windows\M71373\EmangEloh.exe 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File opened for modification C:\Windows\M71373 winlogon.exe File opened for modification C:\Windows\system\msvbvm60.dll winlogon.exe File created \??\c:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\Titip Folder Jangan DiHapus .exe service.exe File opened for modification C:\Windows\M71373 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe File created \??\c:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\Windows Vista setup .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\Lagu - Server .scr service.exe File created \??\c:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\Love Song .scr service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EmangEloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language arp.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile EmangEloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" EmangEloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" service.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile smss.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2920 service.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe Token: SeDebugPrivilege 2920 service.exe Token: SeDebugPrivilege 1196 smss.exe Token: SeDebugPrivilege 1620 EmangEloh.exe Token: SeDebugPrivilege 2980 winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 1196 smss.exe 2920 service.exe 1620 EmangEloh.exe 2980 winlogon.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2664 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 30 PID 1968 wrote to memory of 2664 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 30 PID 1968 wrote to memory of 2664 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 30 PID 1968 wrote to memory of 2664 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 30 PID 1968 wrote to memory of 2924 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 32 PID 1968 wrote to memory of 2924 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 32 PID 1968 wrote to memory of 2924 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 32 PID 1968 wrote to memory of 2924 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 32 PID 1968 wrote to memory of 2496 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 33 PID 1968 wrote to memory of 2496 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 33 PID 1968 wrote to memory of 2496 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 33 PID 1968 wrote to memory of 2496 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 33 PID 1968 wrote to memory of 1520 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 35 PID 1968 wrote to memory of 1520 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 35 PID 1968 wrote to memory of 1520 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 35 PID 1968 wrote to memory of 1520 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 35 PID 1968 wrote to memory of 2556 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 37 PID 1968 wrote to memory of 2556 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 37 PID 1968 wrote to memory of 2556 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 37 PID 1968 wrote to memory of 2556 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 37 PID 1968 wrote to memory of 2768 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 39 PID 1968 wrote to memory of 2768 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 39 PID 1968 wrote to memory of 2768 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 39 PID 1968 wrote to memory of 2768 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 39 PID 1968 wrote to memory of 1648 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 40 PID 1968 wrote to memory of 1648 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 40 PID 1968 wrote to memory of 1648 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 40 PID 1968 wrote to memory of 1648 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 40 PID 1968 wrote to memory of 2232 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 43 PID 1968 wrote to memory of 2232 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 43 PID 1968 wrote to memory of 2232 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 43 PID 1968 wrote to memory of 2232 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 43 PID 1968 wrote to memory of 2124 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 44 PID 1968 wrote to memory of 2124 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 44 PID 1968 wrote to memory of 2124 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 44 PID 1968 wrote to memory of 2124 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 44 PID 1968 wrote to memory of 2920 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 48 PID 1968 wrote to memory of 2920 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 48 PID 1968 wrote to memory of 2920 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 48 PID 1968 wrote to memory of 2920 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 48 PID 1968 wrote to memory of 1196 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 49 PID 1968 wrote to memory of 1196 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 49 PID 1968 wrote to memory of 1196 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 49 PID 1968 wrote to memory of 1196 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 49 PID 1968 wrote to memory of 1620 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 50 PID 1968 wrote to memory of 1620 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 50 PID 1968 wrote to memory of 1620 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 50 PID 1968 wrote to memory of 1620 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 50 PID 1968 wrote to memory of 2980 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 51 PID 1968 wrote to memory of 2980 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 51 PID 1968 wrote to memory of 2980 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 51 PID 1968 wrote to memory of 2980 1968 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe"C:\Users\Admin\AppData\Local\Temp\4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\arp.exearp -a2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.0.1 73-4d-cb-e1-31-fb2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Windows\SysWOW64\arp.exearp -s 10.127.255.255 78-6f-23-03-d4-b12⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2496
-
-
C:\Windows\SysWOW64\arp.exearp -s 49.12.169.207 2d-39-2f-0b-1f-c22⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.22 b3-59-40-b2-8e-c62⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2556
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.251 67-16-e3-73-f7-e62⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\SysWOW64\arp.exearp -s 224.0.0.252 e3-29-1a-57-72-692⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\arp.exearp -s 239.255.255.250 a4-5c-51-71-57-2e2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\SysWOW64\arp.exearp -s 255.255.255.255 89-86-8a-fb-0e-3e2⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O18281Z\service.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O18281Z\service.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Windows\M71373\smss.exe"C:\Windows\M71373\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196
-
-
C:\Windows\M71373\EmangEloh.exe"C:\Windows\M71373\EmangEloh.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O18281Z\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O18281Z\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2AppInit DLLs
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD584258a1a91ec3a19670b5a4fa3488320
SHA197bb1a0a25487979a5fd44b2f06fff2d34b11699
SHA2564e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756
SHA512f2e4346f572745118ce38f221c058a6419d4e1cb8af2f640773c5867a6883152fc81e500e6c060529cfb82138b852f8a25e12de37ee1e190398105034fc276bf
-
Filesize
109B
MD568c7836c8ff19e87ca33a7959a2bdff5
SHA1cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA5123656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8
-
Filesize
1.1MB
MD54db37337f3bc9fe5ca172c7924150a99
SHA1e1cedfcb603fc3c1b3d1afe7866b64cf714f1e2c
SHA2567886d6d9c320127ed64ac61d0ae0355aaad508973ad3d0c3e9db0f47b1c4589f
SHA5126ba562126efad3cc0449d42621fc869ce89c65796c0064ffd9169f3b9b39d1f85fe2ba1d5513f827e25fc89c06fbe307aae4c869bbdfd68116d28da49fac4b62
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
71KB
MD51458e1451cf701b363c99cfb81317789
SHA10dc90bc9a49f5d973e1649c0db09087ef3e0bb3f
SHA256ace427ef87c8c1a9457e122c787d0b0c3b5a04d45f6df4d9a337e215def47c13
SHA512b9ac9af373a93c6db20000bfe4d8c85a9df0c97a15d4989501f719a84f0cef2b72d3697a9a8b927b1cdc9a687cde6f1603fc9e5ba6bc4f63d461a8fadfd67e34
-
Filesize
67KB
MD5909d5d17959688e1bb48945ff39bb45d
SHA190fe160e3735ebccdf4e7d44e8a67bf913a6b01e
SHA2561c48426a84de051a0a4b782e0693906e0b50f3f5961b72e97b1173bfa0be51f3
SHA512729f40bac7164f8e687b64f050b74bff080f6444ab6184fb3804e1125ec9c777ae812caf0ffe2ae8f90712f6c0cf9f5f8ae64c99f2fb47773ca21ee2c61707bf