floxif | 422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcab

Analysis

max time kernel
116s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Size

1.2MB
MD5

8c3978a16bcad26e0c26ca69c1bc9f50
SHA1

3c6177c97bb8a1232d49111625d0fed5edef45e1
SHA256

422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcab
SHA512

34cc81d3aaaea48c61f9ada775fe320fd9fccc545955603fb972fb52944f439dc18190c7a2f0a6ac4270acacd9141218e130c6319dac6872e6bd8d30e00ed5f6
SSDEEP

24576:p2brn/kG9Pwrn/POzMQGEvGH3RDDtAi1PDxwQo79mRUwbSlcfSgQ+n81TrEH7e:porn/x9Pwrn/POzMQGEvGHtDtN1dwQXq

Score

10^/10

floxif backdoor bootkit discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit,\"C:\\Program Files\\Windows Media Player\\0\\e\\e\\3\\7\\c\\c\\5\\a\\d\\e\\1\\1\\9\\e\\3\\b\\3\\c\\8\\c\\0\\2\\1\\a\\2\\f\\1\\6\\8\\b\\4\\autorun.inf\\svchost.exe¡¡\""	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b17-2.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b17-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1124	svchost.exe¡¡

Loads dropped DLL 11 IoCs

pid	Process
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1124	svchost.exe¡¡
4220	taskkill.exe
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	svchost.exe¡¡
File opened (read-only)	\??\X:	svchost.exe¡¡
File opened (read-only)	\??\Y:	svchost.exe¡¡
File opened (read-only)	\??\J:	svchost.exe¡¡
File opened (read-only)	\??\P:	svchost.exe¡¡
File opened (read-only)	\??\N:	svchost.exe¡¡
File opened (read-only)	\??\O:	svchost.exe¡¡
File opened (read-only)	\??\T:	svchost.exe¡¡
File opened (read-only)	\??\U:	svchost.exe¡¡
File opened (read-only)	\??\W:	svchost.exe¡¡
File opened (read-only)	\??\Z:	svchost.exe¡¡
File opened (read-only)	\??\E:	svchost.exe¡¡
File opened (read-only)	\??\H:	svchost.exe¡¡
File opened (read-only)	\??\I:	svchost.exe¡¡
File opened (read-only)	\??\K:	svchost.exe¡¡
File opened (read-only)	\??\M:	svchost.exe¡¡
File opened (read-only)	\??\R:	svchost.exe¡¡
File opened (read-only)	\??\S:	svchost.exe¡¡
File opened (read-only)	\??\A:	svchost.exe¡¡
File opened (read-only)	\??\B:	svchost.exe¡¡
File opened (read-only)	\??\L:	svchost.exe¡¡
File opened (read-only)	\??\Q:	svchost.exe¡¡
File opened (read-only)	\??\e:	svchost.exe¡¡
File opened (read-only)	\??\G:	svchost.exe¡¡

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

Drops autorun.inf file 1 TTPs 36 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\autorun.inf	svchost.exe¡¡
File opened for modification	C:\Program Files\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b17-2.dat	upx
behavioral2/memory/1528-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1124-39-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4220-42-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1528-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4220-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1124-70-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1124-76-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1124-81-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1124-87-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\autorun.inf\ÎÄ¼þÃâÒß	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\autorun.inf\desktop.ini	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
File opened for modification	C:\Program Files\autorun.inf	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe¡¡
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4220	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe¡¡\ = "exefile"	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
Token: SeDebugPrivilege	1124	svchost.exe¡¡
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡
1124	svchost.exe¡¡

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2252	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	83
PID 1528 wrote to memory of 2252	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	83
PID 1528 wrote to memory of 2252	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	83
PID 1528 wrote to memory of 4996	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	85
PID 1528 wrote to memory of 4996	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	85
PID 1528 wrote to memory of 4996	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	85
PID 1528 wrote to memory of 1124	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	87
PID 1528 wrote to memory of 1124	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	87
PID 1528 wrote to memory of 1124	1528	422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe	87
PID 2252 wrote to memory of 4220	2252	cmd.exe	88
PID 2252 wrote to memory of 4220	2252	cmd.exe	88
PID 2252 wrote to memory of 4220	2252	cmd.exe	88
PID 4996 wrote to memory of 4664	4996	cmd.exe	89
PID 4996 wrote to memory of 4664	4996	cmd.exe	89
PID 4996 wrote to memory of 4664	4996	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe
"C:\Users\Admin\AppData\Local\Temp\422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CQ.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im qq.exe /f
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\temp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files\Windows Media Player\0" /d everyone /e
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
  "C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡" pid 1528"C:\Users\Admin\AppData\Local\Temp\422645839d0cd93030f6c44292cd8dea0757379d157b49abbbea91080d1afcabN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\6DAEA885F8.tmp

Filesize
1.1MB

MD5
f4e53d37a28459c7f61e019d69e87a9a

SHA1
0f8db23a1429b0ec8d91115acb42cdfd282ddc01

SHA256
858733df29bc8871614b54c523801f97f2042a8b87d322a1f64c17edae2063ae

SHA512
b1d4f54284ca4b411e5fc5d6b0b0f767aaa2aedfa94c9cf6fa03580fee9537ceab483e1ccfa5a5a1fa3daa24b890010d30da1b9d0726a9709ed6f4e7c3267fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQ.bat

Filesize
30B

MD5
458d6a0f8398f6fa8bda7bb2ba5be353

SHA1
eec02a1cf5047cee3d4dee32ef13498c49a61154

SHA256
66142298d915314ddb48b417e96b48936e71a190d8f7cd8ae5a053cbe2746ddc

SHA512
c4fad6cafa4b17da18f5beceb65f91414c9fa0774c99caeadc87bc44f5faee6425208c78f6f111bec71b2e0cf58922c4bb62a0e3247b2af7699113a76c11c730

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne

Filesize
28KB

MD5
992322b55f2684fe4c83b8e94dd54adb

SHA1
0990c5d0da44f3dfa45208c8d7d6ca27614dc165

SHA256
d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

SHA512
471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
332KB

MD5
3102c454a9543e58fe3ad5f783f5a690

SHA1
dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

SHA256
039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

SHA512
5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
c1180974dd8a7c6d9f8fcc13096b4f7a

SHA1
9d50021334248bf0c752b3ed34deed48325da05c

SHA256
5b1ff0cabb2384f4b6385c1acce1d5e3a9d7b8e0403e2224cd1ab9722a599d3d

SHA512
c8b938bf172b9d2ccfaea34ff7cfddc9eaab8a9416a07e458bd34dfed2ea18de66d23dbaa9f15c2faf1009e00a8dfca3168ab41f02ef28e97c9197c3ca6943e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.0MB

MD5
4b30dbe1a79b2b7572ff637cb3765ced

SHA1
b08eba0e9bdb62d426db8d2b3d451152a56f79a1

SHA256
4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

SHA512
40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.bat

Filesize
72B

MD5
593ce3f439bb49aa3ef95af11b146c18

SHA1
1475674af547f66b3de40d5afde11fcb558a53eb

SHA256
886e68d9e6edb3b9ed472e9990fb9b0822c3be5e4cf6066af986edfac465546b

SHA512
76378b3017f75e0dbbf03a8bedf12b5b80c2d5da7a108ab7024acbbb7deac44ed16e054b53e86f9c8aef210f3a9cb3d1d39e43a698281b92149501c39d863349

Download Submit
memory/1124-35-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1124-56-0x0000000002500000-0x0000000002563000-memory.dmp

Filesize
396KB

Download
memory/1124-87-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1124-81-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1124-76-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1124-51-0x0000000002D40000-0x0000000002E5A000-memory.dmp

Filesize
1.1MB

Download
memory/1124-70-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1124-67-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1124-39-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1528-61-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1528-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1528-7-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/1528-16-0x0000000002FA0000-0x00000000030BA000-memory.dmp

Filesize
1.1MB

Download
memory/1528-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1528-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4220-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4220-42-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download