Analysis
-
max time kernel
151s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-10-2021 06:54
Static task
static1
Behavioral task
behavioral1
Sample
BOM Contracting and General Supplies.js
Resource
win7v20210408
General
-
Target
BOM Contracting and General Supplies.js
-
Size
22KB
-
MD5
81a0010758bb3da2796a7506bfd4aab3
-
SHA1
ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
-
SHA256
3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
-
SHA512
9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779
Malware Config
Extracted
formbook
4.1
k9d0
http://www.dotgroup-email.com/k9d0/
flourishpodcast.xyz
xn--nga.group
music-tomato.com
motory.store
arrivehike.info
xn--diseowebseo-4db.com
centpourcentsons.com
qnnjja005.xyz
annielynnrose.com
darlaevans.com
door-maximum.com
chinataibaifen.com
stickerhicks.com
ta2gamesstudio.com
jendelanews.com
milestoneneuro.com
premierconciergehomes.com
exitcounter.com
jrsway.com
famurainmobiliaria.com
rutielvoitte.xyz
dhft.xyz
fshesan.com
farmaciavicentellaudesfmas.com
aolchattranscripts.com
huangzh.store
treybenson.com
globalnepalimusicaward.com
red0rangejuice.com
getfreemushrooms.net
miro24.icu
agiatektro.com
nature-hugreen.com
hiaey.online
mysupersol.com
ordermeikingpawtucket.com
xyaomao.com
epistledigital.com
robertgeniesse.com
6m8r6i.icu
metalodging.com
mailez1.net
fondoimpresadonna.com
suckhoemoingay26.website
palakasorel.rest
expanchemlcals.com
itfgf.xyz
hindiepustakalaya.com
axieinfiniti.net
med-news.club
geekgarment.com
sanaviiva.xyz
unicouno.com
northcromepoa.com
sanclementesportsacademy.com
ventasjustin.com
d7snv.xyz
yutasblog.com
kingcloud88.com
ijibejivv.xyz
routhchafe.com
arcane-sentinels.com
sscd5g.icu
seo-kumar.com
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Desktop.exe," reg.exe -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/816-90-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/816-91-0x000000000041F170-mapping.dmp formbook behavioral1/memory/816-97-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/388-103-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 20 IoCs
Processes:
wscript.exewscript.exeflow pid process 5 1860 wscript.exe 7 1860 wscript.exe 10 1956 wscript.exe 21 1956 wscript.exe 25 1956 wscript.exe 29 1956 wscript.exe 33 1956 wscript.exe 34 1956 wscript.exe 37 1956 wscript.exe 40 1956 wscript.exe 44 1956 wscript.exe 46 1956 wscript.exe 51 1956 wscript.exe 53 1956 wscript.exe 57 1956 wscript.exe 60 1956 wscript.exe 61 1956 wscript.exe 66 1956 wscript.exe 68 1956 wscript.exe 71 1956 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
un.exeWindows Desktop.exeAddInProcess32.exepid process 1508 un.exe 2028 Windows Desktop.exe 816 AddInProcess32.exe -
Drops startup file 4 IoCs
Processes:
wscript.exeun.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzxEsqUMq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzxEsqUMq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe un.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe un.exe -
Loads dropped DLL 3 IoCs
Processes:
un.exeWindows Desktop.exepid process 1508 un.exe 1508 un.exe 2028 Windows Desktop.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1508-70-0x0000000000620000-0x0000000000641000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\dkzxEsqUMq.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Windows Desktop.exeAddInProcess32.exenetsh.exedescription pid process target process PID 2028 set thread context of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 816 set thread context of 1228 816 AddInProcess32.exe Explorer.EXE PID 816 set thread context of 1228 816 AddInProcess32.exe Explorer.EXE PID 388 set thread context of 1228 388 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
un.exeWindows Desktop.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Windows Desktop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 Windows Desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C un.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 un.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
un.exeWindows Desktop.exeAddInProcess32.exenetsh.exepid process 1508 un.exe 1508 un.exe 1508 un.exe 1508 un.exe 1508 un.exe 2028 Windows Desktop.exe 2028 Windows Desktop.exe 816 AddInProcess32.exe 816 AddInProcess32.exe 816 AddInProcess32.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
AddInProcess32.exenetsh.exepid process 816 AddInProcess32.exe 816 AddInProcess32.exe 816 AddInProcess32.exe 816 AddInProcess32.exe 388 netsh.exe 388 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
un.exeWindows Desktop.exeAddInProcess32.exenetsh.exedescription pid process Token: SeDebugPrivilege 1508 un.exe Token: SeDebugPrivilege 2028 Windows Desktop.exe Token: SeDebugPrivilege 816 AddInProcess32.exe Token: SeDebugPrivilege 388 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
wscript.exeun.execmd.exeWindows Desktop.exeExplorer.EXEnetsh.exedescription pid process target process PID 1860 wrote to memory of 1956 1860 wscript.exe wscript.exe PID 1860 wrote to memory of 1956 1860 wscript.exe wscript.exe PID 1860 wrote to memory of 1956 1860 wscript.exe wscript.exe PID 1860 wrote to memory of 1508 1860 wscript.exe un.exe PID 1860 wrote to memory of 1508 1860 wscript.exe un.exe PID 1860 wrote to memory of 1508 1860 wscript.exe un.exe PID 1860 wrote to memory of 1508 1860 wscript.exe un.exe PID 1508 wrote to memory of 1836 1508 un.exe cmd.exe PID 1508 wrote to memory of 1836 1508 un.exe cmd.exe PID 1508 wrote to memory of 1836 1508 un.exe cmd.exe PID 1508 wrote to memory of 1836 1508 un.exe cmd.exe PID 1836 wrote to memory of 1516 1836 cmd.exe reg.exe PID 1836 wrote to memory of 1516 1836 cmd.exe reg.exe PID 1836 wrote to memory of 1516 1836 cmd.exe reg.exe PID 1836 wrote to memory of 1516 1836 cmd.exe reg.exe PID 1508 wrote to memory of 2028 1508 un.exe Windows Desktop.exe PID 1508 wrote to memory of 2028 1508 un.exe Windows Desktop.exe PID 1508 wrote to memory of 2028 1508 un.exe Windows Desktop.exe PID 1508 wrote to memory of 2028 1508 un.exe Windows Desktop.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 2028 wrote to memory of 816 2028 Windows Desktop.exe AddInProcess32.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE netsh.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE netsh.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE netsh.exe PID 1228 wrote to memory of 388 1228 Explorer.EXE netsh.exe PID 388 wrote to memory of 1652 388 netsh.exe cmd.exe PID 388 wrote to memory of 1652 388 netsh.exe cmd.exe PID 388 wrote to memory of 1652 388 netsh.exe cmd.exe PID 388 wrote to memory of 1652 388 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\BOM Contracting and General Supplies.js"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dkzxEsqUMq.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\un.exe"C:\Users\Admin\AppData\Local\Temp\un.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
b15e317b09321eaee14148808dc05492
SHA19c435e4c3bc9577d01d92be91ba5688b12bfa570
SHA256d1e6796b0c9b9d66d35219739e46993ae91f788f864ef4c74ced0d7b370f4ba2
SHA5127f78fba5ea578aaec2c26075b912b4e2abfdb8929bd671590ced7969f5e828909f45d40e14ed0a8c93422c0d58374ac0d10d9143783559338e84cfa5031a3ccb
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\un.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
C:\Users\Admin\AppData\Local\Temp\un.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
C:\Users\Admin\AppData\Roaming\dkzxEsqUMq.jsMD5
518e6b1ff0aa8ceb28ec463e15dbe880
SHA17ec70e887b02f1fe669c7611324e24f3869aee55
SHA256f65e6b154131aed1c0d1a380a85b77829f57243e659a1eeffc67efd2b5640704
SHA51230048b1575e91bb92b432989ab7d3ec18844fc43c5549f828d93c3250aae429fd238f8daf2c45605363a5a38b7b31403e574c442b64c44e470df10deb876d3e6
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exeMD5
c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
memory/388-105-0x0000000000560000-0x00000000005F3000-memory.dmpFilesize
588KB
-
memory/388-100-0x0000000000000000-mapping.dmp
-
memory/388-103-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/388-102-0x0000000001560000-0x000000000157B000-memory.dmpFilesize
108KB
-
memory/388-104-0x0000000000C70000-0x0000000000F73000-memory.dmpFilesize
3.0MB
-
memory/816-89-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/816-91-0x000000000041F170-mapping.dmp
-
memory/816-97-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/816-95-0x00000000001D0000-0x00000000001E4000-memory.dmpFilesize
80KB
-
memory/816-94-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/816-90-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/816-88-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/816-98-0x0000000000310000-0x0000000000324000-memory.dmpFilesize
80KB
-
memory/1228-99-0x0000000006470000-0x000000000657B000-memory.dmpFilesize
1.0MB
-
memory/1228-96-0x00000000041A0000-0x00000000042C1000-memory.dmpFilesize
1.1MB
-
memory/1228-106-0x0000000002980000-0x0000000002A4A000-memory.dmpFilesize
808KB
-
memory/1508-68-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/1508-66-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/1508-70-0x0000000000620000-0x0000000000641000-memory.dmpFilesize
132KB
-
memory/1508-63-0x0000000000000000-mapping.dmp
-
memory/1508-73-0x00000000006D1000-0x00000000006D2000-memory.dmpFilesize
4KB
-
memory/1516-72-0x0000000000000000-mapping.dmp
-
memory/1652-101-0x0000000000000000-mapping.dmp
-
memory/1836-71-0x0000000000000000-mapping.dmp
-
memory/1860-60-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmpFilesize
8KB
-
memory/1956-61-0x0000000000000000-mapping.dmp
-
memory/2028-85-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/2028-84-0x00000000005D0000-0x00000000005DB000-memory.dmpFilesize
44KB
-
memory/2028-83-0x0000000002451000-0x0000000002452000-memory.dmpFilesize
4KB
-
memory/2028-82-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/2028-79-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/2028-76-0x0000000000000000-mapping.dmp