floxif | 4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Size

147KB
MD5

84258a1a91ec3a19670b5a4fa3488320
SHA1

97bb1a0a25487979a5fd44b2f06fff2d34b11699
SHA256

4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756
SHA512

f2e4346f572745118ce38f221c058a6419d4e1cb8af2f640773c5867a6883152fc81e500e6c060529cfb82138b852f8a25e12de37ee1e190398105034fc276bf
SSDEEP

3072:rkSY60bf9KlHF3w9BKJQ33f8PfJA+R4NvVwFmrtBjT1fIU:dYXUP3wLPnU3JAEwVwUrTFIU

Score

10^/10

floxif backdoor discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70273\\Ja301365bLay.com\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O17171Z\\TuxO17171Z.exe\""	service.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	EmangEloh.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	service.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b2f-2.dat	floxif

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	service.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b2f-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	EmangEloh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
2352	service.exe
1724	smss.exe
3384	EmangEloh.exe
3056	winlogon.exe

Loads dropped DLL 5 IoCs

pid	Process
1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
2352	service.exe
1724	smss.exe
3384	EmangEloh.exe
3056	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z527 = "C:\\Windows\\sa-200622.exe"	EmangEloh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55272180417l.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z527 = "C:\\Windows\\sa-200622.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55272180417l.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z527 = "C:\\Windows\\sa-200622.exe"	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55272180417l.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z527 = "C:\\Windows\\sa-200622.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55272180417l.exe"	EmangEloh.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	EmangEloh.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\k:	service.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\g:	EmangEloh.exe
File opened (read-only)	\??\w:	EmangEloh.exe
File opened (read-only)	\??\s:	winlogon.exe
File opened (read-only)	\??\u:	winlogon.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\N:	EmangEloh.exe
File opened (read-only)	\??\w:	winlogon.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\m:	EmangEloh.exe
File opened (read-only)	\??\o:	EmangEloh.exe
File opened (read-only)	\??\t:	EmangEloh.exe
File opened (read-only)	\??\x:	EmangEloh.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\t:	service.exe
File opened (read-only)	\??\z:	service.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\h:	EmangEloh.exe
File opened (read-only)	\??\j:	EmangEloh.exe
File opened (read-only)	\??\z:	EmangEloh.exe
File opened (read-only)	\??\y:	winlogon.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\l:	service.exe
File opened (read-only)	\??\u:	service.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\j:	winlogon.exe
File opened (read-only)	\??\q:	service.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\y:	service.exe
File opened (read-only)	\??\e:	EmangEloh.exe
File opened (read-only)	\??\i:	EmangEloh.exe
File opened (read-only)	\??\k:	EmangEloh.exe
File opened (read-only)	\??\i:	service.exe
File opened (read-only)	\??\y:	EmangEloh.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\t:	winlogon.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\v:	EmangEloh.exe
File opened (read-only)	\??\e:	winlogon.exe
File opened (read-only)	\??\x:	service.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\t:	smss.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4692	arp.exe
2140	arp.exe
1844	arp.exe
3092	arp.exe
1596	arp.exe
2640	arp.exe
1036	arp.exe
740	arp.exe
4796	arp.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\X05778go\Z552721cie.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\X05778go\Z552721cie.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\55272180417l.exe	winlogon.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File created	C:\Windows\SysWOW64\552721080417l.exe	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\SysWOW64\X05778go\Z552721cie.cmd	service.exe
File created	C:\Windows\SysWOW64\X05778go\Z552721cie.cmd	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\SysWOW64\552721080417l.exe	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\SysWOW64\X05778go\Z552721cie.cmd	EmangEloh.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Titip Folder Jangan DiHapus .exe	service.exe
File created	C:\Windows\SysWOW64\55272180417l.exe	EmangEloh.exe
File opened for modification	C:\Windows\SysWOW64\55272180417l.exe	EmangEloh.exe
File opened for modification	C:\Windows\SysWOW64\55272180417l.exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Titip Folder Jangan DiHapus .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\55272180417l.exe	smss.exe
File created	C:\Windows\SysWOW64\55272180417l.exe	winlogon.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	EmangEloh.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Blink 182 .exe	service.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Love Song .scr	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Love Song .scr	service.exe
File created	C:\Windows\SysWOW64\55272180417l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b2f-2.dat	upx
behavioral2/memory/1928-3-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-72-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-74-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-139-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1928-149-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-204-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-202-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-239-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-256-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-251-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-247-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-280-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-278-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-276-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-274-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-284-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-288-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-286-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-294-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-292-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-298-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-296-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-300-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-302-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-304-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-306-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-308-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-312-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-314-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-316-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3056-322-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1724-328-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2352-326-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3384-330-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Windows Vista setup .scr	service.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Blink 182 .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Love Song .scr	service.exe
File created	\??\c:\Program Files (x86)\Google\Update\Download\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Updates\Download\RaHasIA .exe	service.exe
File created	\??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\RaHasIA .exe	service.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Norman virus Control 5.18 .exe	service.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Love Song .scr	service.exe
File created	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Data DosenKu .exe	service.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr	service.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\RaHasIA .exe	service.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Norman virus Control 5.18 .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Data DosenKu .exe	service.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Love Song .scr	service.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Windows Vista setup .scr	service.exe
File created	\??\c:\Program Files\dotnet\shared\Love Song .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Blink 182 .exe	service.exe
File created	\??\c:\Program Files\Microsoft Office\Updates\Download\RaHasIA .exe	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\THe Best Ungu .scr	service.exe
File created	C:\Windows\sa-200622.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\Blink 182 .exe	service.exe
File opened for modification	C:\Windows\M70273\EmangEloh.exe	winlogon.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\TutoriaL HAcking .exe	service.exe
File opened for modification	C:\Windows\Ti80417ta.exe	smss.exe
File created	C:\Windows\Ti80417ta.exe	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\Data DosenKu .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\Windows Vista setup .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\Norman virus Control 5.18 .exe	service.exe
File opened for modification	C:\Windows\sa-200622.exe	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\[TheMoonlight].txt	EmangEloh.exe
File created	\??\c:\Windows\Downloaded Program Files\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\Blink 182 .exe	service.exe
File created	C:\Windows\Ti80417ta.exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\RaHasIA .exe	service.exe
File opened for modification	C:\Windows\M70273\EmangEloh.exe	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\Ti080417ta.exe	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\Windows\Downloaded Program Files\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\THe Best Ungu .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\Blink 182 .exe	service.exe
File opened for modification	C:\Windows\[TheMoonlight].txt	winlogon.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\Data DosenKu .exe	service.exe
File opened for modification	C:\Windows\M70273	winlogon.exe
File opened for modification	\??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\Data DosenKu .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\Titip Folder Jangan DiHapus .exe	service.exe
File created	C:\Windows\[TheMoonlight].txt	smss.exe
File created	C:\Windows\M70273\EmangEloh.exe	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\Love Song .scr	service.exe
File opened for modification	C:\Windows\M70273\Ja301365bLay.com	service.exe
File opened for modification	C:\Windows\M70273\EmangEloh.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\Data DosenKu .exe	service.exe
File opened for modification	C:\Windows\M70273\Ja301365bLay.com	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\RaHasIA .exe	service.exe
File created	C:\Windows\M70273\Ja301365bLay.com	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\Windows Vista setup .scr	service.exe
File opened for modification	C:\Windows\sa-200622.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\RaHasIA .exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EmangEloh.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	EmangEloh.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
Token: SeDebugPrivilege	2352	service.exe
Token: SeDebugPrivilege	1724	smss.exe
Token: SeDebugPrivilege	3384	EmangEloh.exe
Token: SeDebugPrivilege	3056	winlogon.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
2352	service.exe
1724	smss.exe
3384	EmangEloh.exe
3056	winlogon.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1596	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	83
PID 1928 wrote to memory of 1596	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	83
PID 1928 wrote to memory of 1596	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	83
PID 1928 wrote to memory of 4692	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	85
PID 1928 wrote to memory of 4692	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	85
PID 1928 wrote to memory of 4692	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	85
PID 1928 wrote to memory of 740	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	86
PID 1928 wrote to memory of 740	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	86
PID 1928 wrote to memory of 740	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	86
PID 1928 wrote to memory of 3092	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	87
PID 1928 wrote to memory of 3092	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	87
PID 1928 wrote to memory of 3092	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	87
PID 1928 wrote to memory of 1036	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	88
PID 1928 wrote to memory of 1036	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	88
PID 1928 wrote to memory of 1036	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	88
PID 1928 wrote to memory of 1844	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	89
PID 1928 wrote to memory of 1844	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	89
PID 1928 wrote to memory of 1844	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	89
PID 1928 wrote to memory of 2640	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	90
PID 1928 wrote to memory of 2640	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	90
PID 1928 wrote to memory of 2640	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	90
PID 1928 wrote to memory of 4796	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	91
PID 1928 wrote to memory of 4796	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	91
PID 1928 wrote to memory of 4796	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	91
PID 1928 wrote to memory of 2140	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	92
PID 1928 wrote to memory of 2140	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	92
PID 1928 wrote to memory of 2140	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	92
PID 1928 wrote to memory of 2352	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	101
PID 1928 wrote to memory of 2352	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	101
PID 1928 wrote to memory of 2352	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	101
PID 1928 wrote to memory of 1724	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	102
PID 1928 wrote to memory of 1724	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	102
PID 1928 wrote to memory of 1724	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	102
PID 1928 wrote to memory of 3384	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	103
PID 1928 wrote to memory of 3384	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	103
PID 1928 wrote to memory of 3384	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	103
PID 1928 wrote to memory of 3056	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	104
PID 1928 wrote to memory of 3056	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	104
PID 1928 wrote to memory of 3056	1928	4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe	104

C:\Users\Admin\AppData\Local\Temp\4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe
"C:\Users\Admin\AppData\Local\Temp\4e625cc43530520ea4c181e6ef0a46813542a4ffe35d1fa59b448f572a5a5756N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1596
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 9b-a4-16-e0-f9-f7
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:4692
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 f3-9b-8f-ff-54-42
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:740
- C:\Windows\SysWOW64\arp.exe
  arp -s 37.27.61.184 54-32-f1-c5-cf-65
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 be-bf-e7-2b-25-aa
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 20-b7-ec-cf-34-19
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 eb-fd-5c-ce-dd-fa
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 c0-81-14-b4-3a-9f
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:4796
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 4b-1e-fc-cb-aa-dd
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Windows\M70273\smss.exe
  "C:\Windows\M70273\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Windows\M70273\EmangEloh.exe
  "C:\Windows\M70273\EmangEloh.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3384
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
1458e1451cf701b363c99cfb81317789

SHA1
0dc90bc9a49f5d973e1649c0db09087ef3e0bb3f

SHA256
ace427ef87c8c1a9457e122c787d0b0c3b5a04d45f6df4d9a337e215def47c13

SHA512
b9ac9af373a93c6db20000bfe4d8c85a9df0c97a15d4989501f719a84f0cef2b72d3697a9a8b927b1cdc9a687cde6f1603fc9e5ba6bc4f63d461a8fadfd67e34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O17171Z\service.exe

Filesize
67KB

MD5
909d5d17959688e1bb48945ff39bb45d

SHA1
90fe160e3735ebccdf4e7d44e8a67bf913a6b01e

SHA256
1c48426a84de051a0a4b782e0693906e0b50f3f5961b72e97b1173bfa0be51f3

SHA512
729f40bac7164f8e687b64f050b74bff080f6444ab6184fb3804e1125ec9c777ae812caf0ffe2ae8f90712f6c0cf9f5f8ae64c99f2fb47773ca21ee2c61707bf

Download Submit
C:\Windows\[TheMoonlight].txt

Filesize
109B

MD5
68c7836c8ff19e87ca33a7959a2bdff5

SHA1
cc5d0205bb71c10bbed22fe47e59b1f6817daab7

SHA256
883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec

SHA512
3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/1724-302-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-294-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-301-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-293-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-74-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-73-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-203-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-309-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-284-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-328-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-276-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-249-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1724-251-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1724-204-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1928-148-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1928-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1928-149-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1928-3-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1928-10-0x0000000000402000-0x0000000000406000-memory.dmp

Filesize
16KB

Download
memory/1928-7-0x0000000002740000-0x0000000002742000-memory.dmp

Filesize
8KB

Download
memory/2352-308-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-274-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-247-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-244-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-273-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-292-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-316-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-326-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-201-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-281-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-300-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-299-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-202-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2352-291-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-71-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2352-72-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-298-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-256-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-288-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-297-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-324-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-322-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-287-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-254-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-313-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-279-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-314-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-306-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3056-305-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3056-280-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-139-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-312-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-304-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-278-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-286-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-319-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3384-295-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3384-323-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3384-296-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-252-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3384-239-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-330-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3384-329-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads