Analysis
-
max time kernel
159s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10-02-2022 11:36
Static task
static1
Behavioral task
behavioral1
Sample
fea1c9fccf1292d9fd2c048f0fa767e3.exe
Resource
win7-en-20211208
General
-
Target
fea1c9fccf1292d9fd2c048f0fa767e3.exe
-
Size
294KB
-
MD5
fea1c9fccf1292d9fd2c048f0fa767e3
-
SHA1
790976dfd13d80cc8286fcd5ca60df6e6b3e0fdb
-
SHA256
1ba84876de166844e415c6287023982232051d97ee776b37cf4a7512666494dd
-
SHA512
3ef79d18ae784d5bce0348619063696578743c3f2942c5fe1540387e2d4261bcb1baa418d78c91e74912596d7f39db9c1045260bc78f1c8232decf91ee923929
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1540 created 2904 1540 WerFault.exe nbbxnr5hitydit.exe -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/580-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/580-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1380-145-0x0000000000370000-0x0000000000399000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
rwdiyf.exerwdiyf.exenbbxnr5hitydit.exepid process 1916 rwdiyf.exe 580 rwdiyf.exe 2904 nbbxnr5hitydit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YVEDSNW8 = "C:\\Program Files (x86)\\D04nh9v_\\nbbxnr5hitydit.exe" msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rwdiyf.exerwdiyf.exemsiexec.exedescription pid process target process PID 1916 set thread context of 580 1916 rwdiyf.exe rwdiyf.exe PID 580 set thread context of 2444 580 rwdiyf.exe Explorer.EXE PID 1380 set thread context of 2444 1380 msiexec.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
msiexec.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe msiexec.exe File opened for modification C:\Program Files (x86)\D04nh9v_ Explorer.EXE File created C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe Explorer.EXE File opened for modification C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1492 2904 WerFault.exe nbbxnr5hitydit.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132891430038252404" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.333282" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4052" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3908" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
rwdiyf.exemsiexec.exeWerFault.exepid process 580 rwdiyf.exe 580 rwdiyf.exe 580 rwdiyf.exe 580 rwdiyf.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1492 WerFault.exe 1492 WerFault.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2444 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rwdiyf.exemsiexec.exepid process 580 rwdiyf.exe 580 rwdiyf.exe 580 rwdiyf.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe 1380 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
rwdiyf.exemsiexec.exeExplorer.EXEWerFault.exedescription pid process Token: SeDebugPrivilege 580 rwdiyf.exe Token: SeDebugPrivilege 1380 msiexec.exe Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeRestorePrivilege 1492 WerFault.exe Token: SeBackupPrivilege 1492 WerFault.exe Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
fea1c9fccf1292d9fd2c048f0fa767e3.exerwdiyf.exeExplorer.EXEmsiexec.exeWerFault.exedescription pid process target process PID 1760 wrote to memory of 1916 1760 fea1c9fccf1292d9fd2c048f0fa767e3.exe rwdiyf.exe PID 1760 wrote to memory of 1916 1760 fea1c9fccf1292d9fd2c048f0fa767e3.exe rwdiyf.exe PID 1760 wrote to memory of 1916 1760 fea1c9fccf1292d9fd2c048f0fa767e3.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 1916 wrote to memory of 580 1916 rwdiyf.exe rwdiyf.exe PID 2444 wrote to memory of 1380 2444 Explorer.EXE msiexec.exe PID 2444 wrote to memory of 1380 2444 Explorer.EXE msiexec.exe PID 2444 wrote to memory of 1380 2444 Explorer.EXE msiexec.exe PID 1380 wrote to memory of 3660 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 3660 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 3660 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 1868 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 1868 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 1868 1380 msiexec.exe cmd.exe PID 1380 wrote to memory of 3524 1380 msiexec.exe Firefox.exe PID 1380 wrote to memory of 3524 1380 msiexec.exe Firefox.exe PID 2444 wrote to memory of 2904 2444 Explorer.EXE nbbxnr5hitydit.exe PID 2444 wrote to memory of 2904 2444 Explorer.EXE nbbxnr5hitydit.exe PID 2444 wrote to memory of 2904 2444 Explorer.EXE nbbxnr5hitydit.exe PID 1540 wrote to memory of 2904 1540 WerFault.exe nbbxnr5hitydit.exe PID 1540 wrote to memory of 2904 1540 WerFault.exe nbbxnr5hitydit.exe PID 1380 wrote to memory of 3524 1380 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fea1c9fccf1292d9fd2c048f0fa767e3.exe"C:\Users\Admin\AppData\Local\Temp\fea1c9fccf1292d9fd2c048f0fa767e3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeC:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeC:\Users\Admin\AppData\Local\Temp\rwdiyf.exe C:\Users\Admin\AppData\Local\Temp\nunhgnm4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rwdiyf.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe"C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 4883⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2904 -ip 29041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Program Files (x86)\D04nh9v_\nbbxnr5hitydit.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\nunhgnmMD5
cec6479860914540d21176850b1c4b21
SHA1534b76d286f97b9477e7892bb05701172efc1c71
SHA2567b1106f7bf77968581f2db4c06ba833ede929959074eee1ce8f10185e61a05e3
SHA5126503f223f2e70476fd78e2ddf05e71b218900276873af6c41db9ef8f8807ce2f77c423723b794b8a72b0369575c221ecde1060aa9250c2ad49f3795a97f9014c
-
C:\Users\Admin\AppData\Local\Temp\ognhs6i1h2plg3ur68sMD5
798e35236d03021934f922ea41b06c32
SHA1ae4c1656c9d0c4ca6bcc914bd46458688b46ff58
SHA2567c6022ef98927ad13596d6106074f2ef4cab883925e5df6d7ad1c578cc772ab0
SHA512f992596c6a99e540420347d231c7fe2991e7d140677a5d5645209b892385320c69e6729f3b437c56f34f57414562bd80ae9bcf7b52d3c7c9ca44c4f4037fbb8b
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
C:\Users\Admin\AppData\Local\Temp\rwdiyf.exeMD5
f61da6d9be169e8012f1776867def6da
SHA182564a582a671cb220fb66aa75bbed1e7c6d7270
SHA25638f59aa2c8b4d93f9570bcbcc728102ad4375799b1a15de9b2384c27cc4a44ce
SHA5128906aff6e9cd36c5374c3a622f703272c11a3fdf33b4b5b1e07dd0a98244fe61e443f372f84d6456af957024b07e093675acf43a1275b9d15ffdc0afd23d83cc
-
memory/580-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/580-140-0x0000000001970000-0x0000000001981000-memory.dmpFilesize
68KB
-
memory/580-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/580-137-0x0000000001510000-0x000000000185A000-memory.dmpFilesize
3.3MB
-
memory/580-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1380-145-0x0000000000370000-0x0000000000399000-memory.dmpFilesize
164KB
-
memory/1380-144-0x0000000000820000-0x0000000000832000-memory.dmpFilesize
72KB
-
memory/1380-146-0x00000000046B0000-0x00000000049FA000-memory.dmpFilesize
3.3MB
-
memory/1380-147-0x0000000002B00000-0x0000000002B90000-memory.dmpFilesize
576KB
-
memory/2444-141-0x0000000008740000-0x0000000008848000-memory.dmpFilesize
1.0MB
-
memory/2444-148-0x0000000008850000-0x0000000008932000-memory.dmpFilesize
904KB