floxif | 3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Size

4.8MB
MD5

c26547a826c02f302ca3cca35e20d3d7
SHA1

c2cf8d08dee20656988ff4907362bcc2a1bef1a7
SHA256

3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce
SHA512

3b6a5ffea07f689b588e16d5975dbf5ec5a286ba1bef3efa9e89ec7522e3b0ad5d06bf61637f83044dd85f528fff289fd7ae42efa7b9497d6d00694b81711229
SSDEEP

98304:2KBzPB6ZgoLpcrxVH/6zcaJPiJwbkZT/W0EBHp1rJGh2:2KBzp6DpcrxyciUW0Ep1rJS2

Score

10^/10

floxif backdoor discovery persistence phishing privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000b000000012282-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
A potential corporate email address has been identified in the URL: [email protected]
phishing

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012282-1.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2680	sg.tmp
1624	WiseRegCleaner.exe

Loads dropped DLL 3 IoCs

pid	Process
2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2160-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x000b000000012282-1.dat	upx
behavioral1/memory/2160-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1084-87-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2160-84-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1084-83-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2160-82-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1084-93-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1084-94-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WiseRegCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
880	PING.EXE
1508	PING.EXE
2968	PING.EXE
632	PING.EXE

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\User Name = "Windows"	WiseRegCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\License Key = "85E0-78D9-68C79F-A885-C793"	WiseRegCleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\Expire Date = 0000000000000000	WiseRegCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\License Key = "85E0-78D9-68C79F-A885-C793"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}	WiseRegCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\User Email = "[email protected]"	WiseRegCleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\User Name = "Windows"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}\User Email = "[email protected]"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WiseRegCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WiseRegCleaner.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
632	PING.EXE
880	PING.EXE
1508	PING.EXE
2968	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
1624	WiseRegCleaner.exe
1624	WiseRegCleaner.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeBackupPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeRestorePrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: 33	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: 33	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: 33	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeRestorePrivilege	2680	sg.tmp
Token: 35	2680	sg.tmp
Token: SeSecurityPrivilege	2680	sg.tmp
Token: SeSecurityPrivilege	2680	sg.tmp
Token: 33	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeDebugPrivilege	1624	WiseRegCleaner.exe
Token: 33	1624	WiseRegCleaner.exe
Token: SeIncBasePriorityPrivilege	1624	WiseRegCleaner.exe
Token: 33	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeDebugPrivilege	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeBackupPrivilege	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeRestorePrivilege	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: 33	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
Token: SeIncBasePriorityPrivilege	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1624	WiseRegCleaner.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2760	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	30
PID 2160 wrote to memory of 2760	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	30
PID 2160 wrote to memory of 2760	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	30
PID 2160 wrote to memory of 2760	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	30
PID 2160 wrote to memory of 2680	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	32
PID 2160 wrote to memory of 2680	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	32
PID 2160 wrote to memory of 2680	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	32
PID 2160 wrote to memory of 2680	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	32
PID 2160 wrote to memory of 2628	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	34
PID 2160 wrote to memory of 2628	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	34
PID 2160 wrote to memory of 2628	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	34
PID 2160 wrote to memory of 2628	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	34
PID 2628 wrote to memory of 2148	2628	WScript.exe	35
PID 2628 wrote to memory of 2148	2628	WScript.exe	35
PID 2628 wrote to memory of 2148	2628	WScript.exe	35
PID 2628 wrote to memory of 1624	2628	WScript.exe	37
PID 2628 wrote to memory of 1624	2628	WScript.exe	37
PID 2628 wrote to memory of 1624	2628	WScript.exe	37
PID 2628 wrote to memory of 1624	2628	WScript.exe	37
PID 2148 wrote to memory of 2200	2148	cmd.exe	38
PID 2148 wrote to memory of 2200	2148	cmd.exe	38
PID 2148 wrote to memory of 2200	2148	cmd.exe	38
PID 2148 wrote to memory of 2204	2148	cmd.exe	39
PID 2148 wrote to memory of 2204	2148	cmd.exe	39
PID 2148 wrote to memory of 2204	2148	cmd.exe	39
PID 2148 wrote to memory of 1768	2148	cmd.exe	40
PID 2148 wrote to memory of 1768	2148	cmd.exe	40
PID 2148 wrote to memory of 1768	2148	cmd.exe	40
PID 2160 wrote to memory of 1084	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	41
PID 2160 wrote to memory of 1084	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	41
PID 2160 wrote to memory of 1084	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	41
PID 2160 wrote to memory of 1084	2160	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	41
PID 1084 wrote to memory of 2320	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	42
PID 1084 wrote to memory of 2320	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	42
PID 1084 wrote to memory of 2320	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	42
PID 1084 wrote to memory of 2320	1084	3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe	42
PID 2320 wrote to memory of 632	2320	cmd.exe	44
PID 2320 wrote to memory of 632	2320	cmd.exe	44
PID 2320 wrote to memory of 632	2320	cmd.exe	44
PID 2320 wrote to memory of 880	2320	cmd.exe	46
PID 2320 wrote to memory of 880	2320	cmd.exe	46
PID 2320 wrote to memory of 880	2320	cmd.exe	46
PID 2320 wrote to memory of 1508	2320	cmd.exe	47
PID 2320 wrote to memory of 1508	2320	cmd.exe	47
PID 2320 wrote to memory of 1508	2320	cmd.exe	47
PID 2320 wrote to memory of 2968	2320	cmd.exe	48
PID 2320 wrote to memory of 2968	2320	cmd.exe	48
PID 2320 wrote to memory of 2968	2320	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
"C:\Users\Admin\AppData\Local\Temp\3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\~6159512806416565945~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~6551286323685546858"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\WRC.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\KEY.CMD" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Classes\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}" /v "User Name" /t REG_SZ /d "Windows" /f
      4⤵
      Modifies registry class
      PID:2200
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Classes\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}" /v "User Email" /t REG_SZ /d "[email protected]" /f
      4⤵
      Modifies registry class
      PID:2204
  - - C:\Windows\system32\reg.exe
      Reg.exe add "HKCU\Software\Classes\CLSID\{05E5C3C4-D6F5-44B8-B812-8074716CD9C1}" /v "License Key" /t REG_SZ /d "85E0-78D9-68C79F-A885-C793" /f
      4⤵
      Modifies registry class
      PID:1768
- - C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\WiseRegCleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\WiseRegCleaner.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1624
- C:\Users\Admin\AppData\Local\Temp\3c946b87e1e52334bf0879aa69efa057e132dc47303acdd690a82be05d4e07ce.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6373231268945221808.cmd"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~6373231268945221808.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:632
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:880
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1508
  - - C:\Windows\system32\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~6373231268945221808.cmd

Filesize
373B

MD5
145ee23d91ee7e1879c7e17194a01a93

SHA1
abd975ae8beed9af4a0ba15501b66686d7c75c35

SHA256
402ba0f5cebfdf065bf4ec006d63b64ba83b3e2ffae022239256640224414644

SHA512
6f8beefbd1bf07fd12c65301bc9cfb2ce0bca3fc289b3a7ae383416538681668f7166ec8b4bd6971d94e01d26158e73e8caf2cf3121290baab697dfc0bb0b0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\1c.ico

Filesize
70KB

MD5
c21874be04e028956bd914bf8a6514e6

SHA1
33a1cbc06991abcf1fdbbf3f818f787530f6a4ec

SHA256
a45f15003520352d1b21c2c38cc2172143a5671b14dfde41432ac660d4d1875d

SHA512
6658bdf32cc83082a772c63d4567195d7f245db7ac6f8afb6fa397fed5e7e5375b96120fdc12da224d71deb6bd7db03f2ab4801892ea1e8c66479d5eca0ba395

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\KEY.CMD

Filesize
545B

MD5
9cfeb07b22f7ec5c6b46f88954ec0c6e

SHA1
2128f4a02352cddc049f128a5ba2012ae7d88bcf

SHA256
b0ff92d039dff6a75457f2096120b912bec5fd1a0b0f8dfd0093c9a478418e2e

SHA512
eb031bdec7f4e6e04dd40726747376fe86ac9eb16ef2bf2af497097d08602e7dd7d43dd071af3ce96527f60262648bde6fa3ce1e4ff745955321f5e2f591ed62

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\Languages\English.ini

Filesize
45KB

MD5
bf3024731852e01ab82666eca9bbb9cd

SHA1
70e1efa7fee6588043fc76eb8c375a5a96c49521

SHA256
a09aa3e34cb8aaa47f7ed5b3b5db0b161b0ed4d4e74c22761c6846b863ae7d04

SHA512
6470c7d155efeb49887b780e704a9a88856751a3ab962d205cb0d20c58c8c1d62e52aec32540b1131c602c8d126de49dcbcc6449c515b003ba50ce8c017bc935

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\Languages\Korean.ini

Filesize
35KB

MD5
adebe5f415b48961d0f4f1e20197a6a8

SHA1
b8b083647e82b40ce56ecab308b5ae301ac60349

SHA256
cb1a23835ca4fc28260a1af22399f08f91df5d07bd7a0e9ff17fc51a0f40d0e3

SHA512
6818f2be2cf64de928e74ada40d1dcf39e003fea0491af8134f744518c6f0032ff11ec70692401b15fe8cf4b3a90382b1a262935f60d725806c577c5b9137681

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\License.txt

Filesize
5KB

MD5
4a0f1a666912e64f1ba811fc24d7135f

SHA1
dcbadd9698e306f0cd6e80737fc44f53336cf36c

SHA256
d6b418c619ba7456b594dff10c3face4ac28609a64f2bf5e635292d7ff4f57e5

SHA512
36eba1cc1c0ac8d5fee7e88fd90b01ee800945ebed45ef92adf64e4aa356a2afe9acc6b07cae478cc467ca62b4a7895cecc3af9bbdf93c2a9c2271253ed00342

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\LiveUpdate.exe

Filesize
2.9MB

MD5
7c88467822a9648654fa08f6f20eda1a

SHA1
f9d9556b8815effc6552699e1e45a4a5d0c9d8d1

SHA256
5494b196ec622d86d857f1b85f2d8a2ed2e315ce5fb8aea7062a102f28959a58

SHA512
89eeda1c70d4882041e802b2eed97edd5a72fb7b61e2dbf2b0f6690b6d61154513341d642123afdf52ca2052d4ed511d2b40f99038187f3d7fcb70917c9e437b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\WRC.vbs

Filesize
163B

MD5
372a98afa9ac8a57309a075b0ac48a19

SHA1
b4650405dce6ea51452ff48c26c47f0ca3fafa1c

SHA256
b3d55d615e8bd7f4b2ee8290f416ab68c2dafcf67a2b7735214f265314426809

SHA512
381ccc9545a190190a3a35c9b95e7bc56bc6967719086b47519f566f208d3bc5cf450981003189cc0ed8bf137a5812603b9d016a57877632d1dc96279099bed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\WiseRegCleaner.exe

Filesize
10.3MB

MD5
fa09b1431a53cc220c8c324bb30da82d

SHA1
a01544b6dcfe008e6d1e7fcafa67034b8b27ac91

SHA256
8675d8d4eb12295a1b3d3ebd5a0666b58b88c43136fbba4beba36b4bce26ba28

SHA512
8a8e285dd24cab83e3242aba8c2f7b61e9e64f995d0191c59e88091218a824942cf67cbd7c41c559cf99e8e518074e0505615edd5e8cad6cd4359d3ab112a910

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6551286323685546858\config.ini

Filesize
641B

MD5
7aff2de6a6635bb18f5ace08691e2b6c

SHA1
846b5de106d55cd37fd9258ba18978db00933efe

SHA256
ca38616968ac34415f124b3afa52abeed32c5e5a8e6b48a9e626b0dca222cf70

SHA512
10880f8d34f310fd6fe478ac0bcf22cab87c7cfd9199d0f0898efb0859ce9956b36e5c2f5d49e13ab3748bb37abd99f46336e2fc384b126262c843f59852f4a2

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\~6159512806416565945~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
memory/1084-83-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1084-94-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1084-87-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1084-93-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1624-100-0x0000000000400000-0x0000000000E83000-memory.dmp

Filesize
10.5MB

Download
memory/2160-79-0x00000000047D0000-0x00000000049AE000-memory.dmp

Filesize
1.9MB

Download
memory/2160-82-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2160-84-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2160-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2160-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download