3d445366066d1c084f489995e476abe8e1204fa1918468868c4f90cabd2e5817

Analysis

max time kernel
297s
max time network
285s
platform
windows7_x64
resource
win7v20210410
submitted
25-06-2021 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lab_02_win10x64/b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exea2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exea2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exea2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exea2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

pid	process
1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
1912	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
896	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
1208	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
1212	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

Loads dropped DLL 2 IoCs

Processes:

b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

pid	process
1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 myexternalip.com
5 myexternalip.com
7 myexternalip.com
14 wtfismyip.com
16 myexternalip.com

flow	ioc
18	myexternalip.com
5	myexternalip.com
7	myexternalip.com
14	wtfismyip.com
16	myexternalip.com

Drops file in System32 directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exea2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

description	pid	process	target process
PID 1668 wrote to memory of 1680	1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 1668 wrote to memory of 1680	1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 1668 wrote to memory of 1680	1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 1668 wrote to memory of 1680	1668	b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe
PID 1680 wrote to memory of 524	1680	a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe
"C:\Users\Admin\AppData\Local\Temp\lab_02_win10x64\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
3⤵
PID:524

C:\Windows\system32\taskeng.exe
taskeng.exe {8ACFAC5C-4F8F-48CD-8614-F42EFA614F57} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:620

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:528

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
2⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
3⤵
PID:944

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
2⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
3⤵
- Modifies data under HKEY_USERS
PID:1636

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
2⤵
- Executes dropped EXE
PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
C:\Users\Admin\AppData\Roaming\winapp\client_id
MD5
78148489fdf851177e225ea3eba47d4b

SHA1
f0172a677500cc1f57f1d938b81b2730942e5d32

SHA256
17886640cdd8c385741ec0986c5748a052919f9e7c6be6f16554aec9768fb87d

SHA512
16c7ba12bcbbae378450bb6f2d0a8e4c58cc1de46d6738f217a68edc89bdbe4086b37a0abe5cfd23d1768f2bbdb00ae540c9baf71627e82886089d31bcd3571b

Download Submit
\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
MD5
b3dc48d13f7d541fa583bf964c0603bf

SHA1
1dbaa68adc0a592508f7ad715bfcdf79c17990d6

SHA256
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7

SHA512
193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

Download Submit
memory/524-77-0x0000000000000000-mapping.dmp

Download
memory/524-85-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/524-79-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/528-98-0x0000000000000000-mapping.dmp

Download
memory/896-107-0x0000000000000000-mapping.dmp

Download
memory/896-126-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/896-112-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/896-110-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/944-118-0x0000000000000000-mapping.dmp

Download
memory/1208-146-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1208-133-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1208-131-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1208-128-0x0000000000000000-mapping.dmp

Download
memory/1212-153-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1212-151-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1212-148-0x0000000000000000-mapping.dmp

Download
memory/1636-139-0x0000000000000000-mapping.dmp

Download
memory/1668-62-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1668-63-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/1668-61-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1668-60-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1668-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-70-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1680-84-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1680-74-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1680-68-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1680-66-0x0000000000000000-mapping.dmp

Download
memory/1912-105-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1912-92-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1912-90-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/1912-87-0x0000000000000000-mapping.dmp

Download