Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 14:59
Static task
static1
Behavioral task
behavioral1
Sample
6aa41422717869166e3c3fca64a6282b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6aa41422717869166e3c3fca64a6282b.exe
Resource
win10v20201028
General
-
Target
6aa41422717869166e3c3fca64a6282b.exe
-
Size
1.2MB
-
MD5
6aa41422717869166e3c3fca64a6282b
-
SHA1
cda8fe84bb2841ec7e541651411228e779a81696
-
SHA256
9b33e4cbdb866cf26e5d30d6929b86f01b21eb9e78996237565ba1e088160893
-
SHA512
48e25773818f13f14f4183af0273d9ffc2254801323d4351ce5843df2dba3e926c4acc52ede87e0952e7abea27d8199c18f5a73e3e1188451f45ffe24dfffeef
Malware Config
Extracted
njrat
0.7d
Lammer
magraotm.ddns.net:1177
dd3191152a7e6633d26d1d8422e4e214
-
reg_key
dd3191152a7e6633d26d1d8422e4e214
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
cfPT_launcher.exeLammer.exeexplorer.exepid process 2064 cfPT_launcher.exe 2856 Lammer.exe 3892 explorer.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd3191152a7e6633d26d1d8422e4e214.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd3191152a7e6633d26d1d8422e4e214.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd3191152a7e6633d26d1d8422e4e214 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dd3191152a7e6633d26d1d8422e4e214 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe\" .." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cfPT_launcher.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \cfPT_launcher.exe = "0" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\cfPT_launcher.exe = "0" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\cfPT_launcher.exe = "1" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \cfPT_launcher.exe = "1" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\cfPT_launcher.exe = "0" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\cfPT_launcher.exe = "0" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\cfPT_launcher.exe = "1" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\NumberOfSubdomains = "1" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\cfPT_launcher.exe = "1" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage cfPT_launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\cfPT_launcher.exe = "11000" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\cfPT_launcher.exe = "1" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\cfPT_launcher.exe = "0" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com\ = "0" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\cfPT_launcher.exe = "1" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com\ = "18" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\Total = "0" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com\Total = "18" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\cfPT_launcher.exe = "1" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\cfPT_launcher.exe = "0" cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\z8games.com cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\br.crossfire.z8games.com cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\cfPT_launcher.exe = "1" cfPT_launcher.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" cfPT_launcher.exe -
Processes:
cfPT_launcher.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C cfPT_launcher.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 cfPT_launcher.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB cfPT_launcher.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f cfPT_launcher.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe Token: 33 3892 explorer.exe Token: SeIncBasePriorityPrivilege 3892 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
6aa41422717869166e3c3fca64a6282b.execfPT_launcher.exepid process 1032 6aa41422717869166e3c3fca64a6282b.exe 2064 cfPT_launcher.exe 2064 cfPT_launcher.exe 2064 cfPT_launcher.exe 2064 cfPT_launcher.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6aa41422717869166e3c3fca64a6282b.exeLammer.exeexplorer.exedescription pid process target process PID 1032 wrote to memory of 2064 1032 6aa41422717869166e3c3fca64a6282b.exe cfPT_launcher.exe PID 1032 wrote to memory of 2064 1032 6aa41422717869166e3c3fca64a6282b.exe cfPT_launcher.exe PID 1032 wrote to memory of 2064 1032 6aa41422717869166e3c3fca64a6282b.exe cfPT_launcher.exe PID 1032 wrote to memory of 2856 1032 6aa41422717869166e3c3fca64a6282b.exe Lammer.exe PID 1032 wrote to memory of 2856 1032 6aa41422717869166e3c3fca64a6282b.exe Lammer.exe PID 1032 wrote to memory of 2856 1032 6aa41422717869166e3c3fca64a6282b.exe Lammer.exe PID 2856 wrote to memory of 3892 2856 Lammer.exe explorer.exe PID 2856 wrote to memory of 3892 2856 Lammer.exe explorer.exe PID 2856 wrote to memory of 3892 2856 Lammer.exe explorer.exe PID 3892 wrote to memory of 2736 3892 explorer.exe netsh.exe PID 3892 wrote to memory of 2736 3892 explorer.exe netsh.exe PID 3892 wrote to memory of 2736 3892 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa41422717869166e3c3fca64a6282b.exe"C:\Users\Admin\AppData\Local\Temp\6aa41422717869166e3c3fca64a6282b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe"C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Lammer.exe"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Lammer.exeMD5
ad08ade0dfb42053078f3cf19e7739e3
SHA18f132309aae086d4c19e7a1c1d49a67222bc2777
SHA2567d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd
SHA5126ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1
-
C:\Users\Admin\AppData\Local\Temp\Lammer.exeMD5
ad08ade0dfb42053078f3cf19e7739e3
SHA18f132309aae086d4c19e7a1c1d49a67222bc2777
SHA2567d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd
SHA5126ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1
-
C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exeMD5
cb1545a63ba5b93f8bf6d9953ad49f2e
SHA1e98146a123498d431da88a84d8c4bff43849f86e
SHA256c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104
SHA5122e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29
-
C:\Users\Admin\AppData\Local\Temp\cfPT_launcher.exeMD5
cb1545a63ba5b93f8bf6d9953ad49f2e
SHA1e98146a123498d431da88a84d8c4bff43849f86e
SHA256c9d4e7af0f6a5c24c4617fdc35b56f147b11c85afc3f06c7d9dad105c274d104
SHA5122e099a2bf75000029f08e37d6c95072b25c6506adf6415533d5759b152fbef481ca2f6027e55d24e07f808bc68099e9ba58d76ab585edb55c67735c55a64cb29
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
ad08ade0dfb42053078f3cf19e7739e3
SHA18f132309aae086d4c19e7a1c1d49a67222bc2777
SHA2567d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd
SHA5126ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
ad08ade0dfb42053078f3cf19e7739e3
SHA18f132309aae086d4c19e7a1c1d49a67222bc2777
SHA2567d2a1a56db084c60f9a611ebd33b021ea469e7e9696891608c45cf61939116bd
SHA5126ca9c1dd53fab21a93882c326f378073ed884162e1dd8e8a9674c7993663c44e9a98b8a3129f1233d6db4f40e573b51772fef341afc086e6fb34829440199cd1
-
memory/2064-4-0x0000000000000000-mapping.dmp
-
memory/2736-13-0x0000000000000000-mapping.dmp
-
memory/2856-7-0x0000000000000000-mapping.dmp
-
memory/3892-10-0x0000000000000000-mapping.dmp