Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-02-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-021406_pdf.jar
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ORDER-021406_pdf.jar
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
Order.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
Order.xlsx
Resource
win10v2004-en-20220112
General
-
Target
ORDER-021406_pdf.jar
-
Size
115KB
-
MD5
9b1704c9472dec7f1a64667093192a29
-
SHA1
0412046a5e917a5773043db094e6088897e00519
-
SHA256
0f081b6ad1242ba0528e7f7058c0f98ec52299272d63844735fa6574ba7ecb85
-
SHA512
c26b7b6a9ac198f55cf1b832557cc71d03a4fdec0c3f754d1b8762fee359c4191905904e6ebaebf0abfc16c710912437c9ceb6527b5c43ae17996b46368962a1
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\cq4u.exe family_neshta C:\Users\Admin\cq4u.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
cq4u.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" cq4u.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3560 created 3836 3560 WerFault.exe cq4u.exe -
suricata: ET MALWARE DTLoader Binary Request M2
suricata: ET MALWARE DTLoader Binary Request M2
-
Executes dropped EXE 2 IoCs
Processes:
cq4u.execq4u.exepid process 2320 cq4u.exe 3836 cq4u.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cq4u.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation cq4u.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cq4u.exejava.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE cq4u.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE cq4u.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe cq4u.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe cq4u.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE cq4u.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE cq4u.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE cq4u.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE cq4u.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe cq4u.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe cq4u.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE cq4u.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe cq4u.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE cq4u.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe cq4u.exe -
Drops file in Windows directory 2 IoCs
Processes:
cq4u.exesvchost.exedescription ioc process File opened for modification C:\Windows\svchost.com cq4u.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2884 3836 WerFault.exe cq4u.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeWerFault.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006576" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.976205" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4056" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3908" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132888063140828179" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe -
Modifies registry class 1 IoCs
Processes:
cq4u.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" cq4u.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 2884 WerFault.exe 2884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cq4u.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3836 cq4u.exe Token: SeRestorePrivilege 2884 WerFault.exe Token: SeBackupPrivilege 2884 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.execq4u.exeWerFault.exedescription pid process target process PID 3784 wrote to memory of 2320 3784 java.exe cq4u.exe PID 3784 wrote to memory of 2320 3784 java.exe cq4u.exe PID 3784 wrote to memory of 2320 3784 java.exe cq4u.exe PID 2320 wrote to memory of 3836 2320 cq4u.exe cq4u.exe PID 2320 wrote to memory of 3836 2320 cq4u.exe cq4u.exe PID 2320 wrote to memory of 3836 2320 cq4u.exe cq4u.exe PID 3560 wrote to memory of 3836 3560 WerFault.exe cq4u.exe PID 3560 wrote to memory of 3836 3560 WerFault.exe cq4u.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\ORDER-021406_pdf.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\cq4u.exeC:\Users\Admin\cq4u.exe2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 16404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3836 -ip 38361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exeMD5
d56c3670c975055b327498b1f6d21b7d
SHA111b54837674223b45dddd7300903fa5078a9a04f
SHA25673583c9268aba6ca2ab7572919c71e5d0cb8c4cf1a1c5ce65f7e2a41159cc177
SHA512357ff67ee7a576e417d258ce1aac9fb9a762bedcdba71747cab608f66c67cfcd25c6d112872f7a6c5f3fe9e794764d9f1979c3b78369735ac3e94349f1c77644
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cq4u.exeMD5
d56c3670c975055b327498b1f6d21b7d
SHA111b54837674223b45dddd7300903fa5078a9a04f
SHA25673583c9268aba6ca2ab7572919c71e5d0cb8c4cf1a1c5ce65f7e2a41159cc177
SHA512357ff67ee7a576e417d258ce1aac9fb9a762bedcdba71747cab608f66c67cfcd25c6d112872f7a6c5f3fe9e794764d9f1979c3b78369735ac3e94349f1c77644
-
C:\Users\Admin\cq4u.exeMD5
71b56603c0d5a3504d5f4ec61540f630
SHA13999fac595a275739d8142ffc90f1b707b9c3d31
SHA256925d620fc769a4db1a3fb08379fbf8ffbacb73a55768e083950d6f5360fb0645
SHA512fc91f255d42759cfd5cf8eab63f969f1e29c47e1b54c6ca0c897841a052b68a4ac5921587a9aae6267717f88453c101c12de26ead61f11dc25ffa1aeaf2675f1
-
C:\Users\Admin\cq4u.exeMD5
71b56603c0d5a3504d5f4ec61540f630
SHA13999fac595a275739d8142ffc90f1b707b9c3d31
SHA256925d620fc769a4db1a3fb08379fbf8ffbacb73a55768e083950d6f5360fb0645
SHA512fc91f255d42759cfd5cf8eab63f969f1e29c47e1b54c6ca0c897841a052b68a4ac5921587a9aae6267717f88453c101c12de26ead61f11dc25ffa1aeaf2675f1
-
memory/3784-131-0x00000000026A0000-0x00000000117A0000-memory.dmpFilesize
241.0MB
-
memory/3784-132-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/3784-144-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/3836-152-0x0000000000390000-0x00000000003B4000-memory.dmpFilesize
144KB
-
memory/3836-153-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3836-154-0x00000000056D0000-0x000000000576C000-memory.dmpFilesize
624KB