6a2f6da502485750acde45ad22d36d186c335b2f61592c5eae168e9f971ffc70

Reason

Machine shutdown

General

Target

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Size

10.5MB
MD5

e1fad5d61bb637beb30aec6d3180ece2
SHA1

88966028db1eb2a41cec54875486638937a28208
SHA256

6a2f6da502485750acde45ad22d36d186c335b2f61592c5eae168e9f971ffc70
SHA512

5c87ab2570983aff67fe5d99dc157e9ebb040ea96a8344da0f1cdf6fdf9701ee014e43c69255773e95ae09d7c45ece9b119928b45c8fb400351ecccf996a56cb

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Setup.execonhost.exefiles.dat

pid process

2168 Setup.exe
3200 conhost.exe
4032 files.dat

pid	process
2168	Setup.exe
3200	conhost.exe
4032	files.dat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Setup.exe	upx
C:\Users\Admin\AppData\Roaming\Setup.exe	upx

Drops startup file 1 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe.manifest	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

Drops file in Windows directory 1 IoCs

Processes:

LogonUI.exe

description ioc process

File created C:\Windows\rescache\_merged\2229298842\686952300.pri LogonUI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2229298842\686952300.pri	LogonUI.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	conhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe
Token: 33	2424	WMIC.exe
Token: 34	2424	WMIC.exe
Token: 35	2424	WMIC.exe
Token: 36	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe
Token: 33	2424	WMIC.exe
Token: 34	2424	WMIC.exe
Token: 35	2424	WMIC.exe
Token: 36	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe
Token: SeSecurityPrivilege	1864	WMIC.exe
Token: SeTakeOwnershipPrivilege	1864	WMIC.exe
Token: SeLoadDriverPrivilege	1864	WMIC.exe
Token: SeSystemProfilePrivilege	1864	WMIC.exe
Token: SeSystemtimePrivilege	1864	WMIC.exe
Token: SeProfSingleProcessPrivilege	1864	WMIC.exe
Token: SeIncBasePriorityPrivilege	1864	WMIC.exe
Token: SeCreatePagefilePrivilege	1864	WMIC.exe
Token: SeBackupPrivilege	1864	WMIC.exe
Token: SeRestorePrivilege	1864	WMIC.exe
Token: SeShutdownPrivilege	1864	WMIC.exe
Token: SeDebugPrivilege	1864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1864	WMIC.exe
Token: SeRemoteShutdownPrivilege	1864	WMIC.exe
Token: SeUndockPrivilege	1864	WMIC.exe
Token: SeManageVolumePrivilege	1864	WMIC.exe
Token: 33	1864	WMIC.exe
Token: 34	1864	WMIC.exe
Token: 35	1864	WMIC.exe
Token: 36	1864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1864	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid process

3508 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
3508 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid process

3508 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
3508 6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

4052 LogonUI.exe
4052 LogonUI.exe

pid	process
3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid	process
3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe

pid	process
4052	LogonUI.exe
4052	LogonUI.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exeSetup.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3508 wrote to memory of 2168	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 3508 wrote to memory of 2168	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 3508 wrote to memory of 2168	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	Setup.exe
PID 3508 wrote to memory of 3200	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 3508 wrote to memory of 3200	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 3508 wrote to memory of 3200	3508	6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe	conhost.exe
PID 2168 wrote to memory of 3780	2168	Setup.exe	cmd.exe
PID 2168 wrote to memory of 3780	2168	Setup.exe	cmd.exe
PID 3780 wrote to memory of 2424	3780	cmd.exe	WMIC.exe
PID 3780 wrote to memory of 2424	3780	cmd.exe	WMIC.exe
PID 2168 wrote to memory of 4056	2168	Setup.exe	cmd.exe
PID 2168 wrote to memory of 4056	2168	Setup.exe	cmd.exe
PID 4056 wrote to memory of 1864	4056	cmd.exe	WMIC.exe
PID 4056 wrote to memory of 1864	4056	cmd.exe	WMIC.exe
PID 2168 wrote to memory of 3972	2168	Setup.exe	cmd.exe
PID 2168 wrote to memory of 3972	2168	Setup.exe	cmd.exe
PID 3972 wrote to memory of 4032	3972	cmd.exe	files.dat
PID 3972 wrote to memory of 4032	3972	cmd.exe	files.dat
PID 3972 wrote to memory of 4032	3972	cmd.exe	files.dat

C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe
"C:\Users\Admin\AppData\Local\Temp\6A2F6DA502485750ACDE45AD22D36D186C335B2F61592.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Roaming\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Roaming\Setup.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Roaming\files"
3⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\Wbem\WMIC.exe
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Roaming\files"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
3⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Roaming\files\files.dat
files.dat -y -pkmsauto
4⤵
- Executes dropped EXE
PID:4032

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x328
1⤵
PID:3188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a36055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Setup.exe
MD5
e4a514f71bc9e329c641beb89343bcac

SHA1
99dbb79944b2582e1d903acf3499572b8e9a6b86

SHA256
f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d

SHA512
89bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65

Download Submit
C:\Users\Admin\AppData\Roaming\Setup.exe
MD5
e4a514f71bc9e329c641beb89343bcac

SHA1
99dbb79944b2582e1d903acf3499572b8e9a6b86

SHA256
f674489ace458373c9c28b60a3afd76f1c4176986d6fb3b51bf0832011c8af4d

SHA512
89bebe806976e043d9464074be46c3f8ad7deba3cb20c51eda328f40e9daa84731b9fb83130248c9f69aec50e575a53068233bce77ffc68c1d49736d4dd17c65

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
MD5
fdbd7b1910d980cf7273796a0119d252

SHA1
47029af064a51454662909465ce38ee5cdcc62c7

SHA256
3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

SHA512
ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe.manifest
MD5
faa0a1da99c41ae839f47795e88ca4cf

SHA1
d7b59374b1dd7ae8ff41e0f475716603fda5c803

SHA256
9265c14584cbe0be261acb481af9e204bdfda799b45dab3aa04fe30cd348a663

SHA512
6f8c5684e3f6ba63974384cc4d4adb0b8d5ecea2d132e1a2f9ab3030c789508e0faa165d1650708a46c52760b8a603f42ed8d366245430b2a54faf9fd1fd17b2

Download Submit
C:\Users\Admin\AppData\Roaming\files\files.dat
MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Roaming\files\files.dat
MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads