Analysis
-
max time kernel
122s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 17:01
Static task
static1
Behavioral task
behavioral1
Sample
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
Resource
win7-20220718-en
General
-
Target
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe
-
Size
29.6MB
-
MD5
87e9ef77d9eae3a947a8922acf8179d4
-
SHA1
064167fa469d978df5fd2f1963d4bbb94c341e87
-
SHA256
8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382
-
SHA512
4bbbe4f6fc0cf1fbe1ae30d3f1fe9356b5bdb08ef60dbecca42e32c3d6208b47db9c9087c1542f5f21c1f8a7a0e4951f2e7cc13f4fd336aed2fb3ca99cf487bf
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wmiprvse.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Executes dropped EXE 8 IoCs
pid Process 1316 inerstelar.exe 1596 key.exe 1940 rmsbuild.exe 1564 sysdisk.exe 1160 svnhost.exe 1224 sysdisk.exe 1616 mngrdevice.exe 856 winsystem.exe -
Modifies Windows Firewall 1 TTPs 16 IoCs
pid Process 2000 netsh.exe 1016 netsh.exe 1432 netsh.exe 440 netsh.exe 1612 netsh.exe 1712 netsh.exe 2008 netsh.exe 1544 netsh.exe 2032 netsh.exe 1876 netsh.exe 2028 netsh.exe 860 netsh.exe 1512 netsh.exe 1496 netsh.exe 1952 netsh.exe 1904 netsh.exe -
resource yara_rule behavioral1/memory/1160-129-0x0000000010000000-0x000000001005A000-memory.dmp upx behavioral1/memory/1160-128-0x0000000010000000-0x000000001005A000-memory.dmp upx behavioral1/memory/1160-132-0x00000000034D0000-0x000000000352A000-memory.dmp upx behavioral1/memory/1160-131-0x00000000034D0000-0x000000000352A000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Control Panel\International\Geo\Nation sysdisk.exe -
Loads dropped DLL 11 IoCs
pid Process 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 1940 rmsbuild.exe 1316 inerstelar.exe 1316 inerstelar.exe 1960 cmd.exe 1160 svnhost.exe 1160 svnhost.exe 952 cmd.exe 952 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Windows = "C:\\Windows\\keylog\\mngrdevice.exe" mngrdevice.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\keylog\libeay32.dll mngrdevice.exe File created C:\Windows\System64\winsystem.exe rmsbuild.exe File opened for modification C:\Windows\keylog\mngrdevice.exe key.exe File created C:\Windows\System64\vp8encoder.dll rmsbuild.exe File created C:\Windows\System64\sysdisk.exe rmsbuild.exe File created C:\Windows\keylog\ssleay32.dll mngrdevice.exe File created C:\Windows\setlibrecini.ini rmsbuild.exe File created C:\Windows\System64\service.bat rmsbuild.exe File created C:\Windows\keylog\mngrdevice.exe key.exe File created C:\Windows\System64\vp8decoder.dll rmsbuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1972 systeminfo.exe -
Modifies registry key 1 TTPs 8 IoCs
pid Process 288 reg.exe 1920 reg.exe 1300 reg.exe 1168 reg.exe 1744 reg.exe 1680 reg.exe 1572 reg.exe 2012 reg.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1160 svnhost.exe 1160 svnhost.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeCreatePagefilePrivilege 948 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 1884 powercfg.exe Token: SeCreatePagefilePrivilege 1884 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeCreatePagefilePrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeShutdownPrivilege 904 conhost.exe Token: SeCreatePagefilePrivilege 904 conhost.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1912 powercfg.exe Token: SeCreatePagefilePrivilege 1912 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeShutdownPrivilege 1016 powercfg.exe Token: SeCreatePagefilePrivilege 1016 powercfg.exe Token: SeDebugPrivilege 1564 sysdisk.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeCreatePagefilePrivilege 1356 powercfg.exe Token: SeTakeOwnershipPrivilege 1224 sysdisk.exe Token: SeTcbPrivilege 1224 sysdisk.exe Token: SeTcbPrivilege 1224 sysdisk.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeShutdownPrivilege 1632 powercfg.exe Token: SeCreatePagefilePrivilege 1632 powercfg.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1596 key.exe 1940 rmsbuild.exe 1940 rmsbuild.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1564 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1224 sysdisk.exe 1616 mngrdevice.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 28 PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 28 PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 28 PID 2024 wrote to memory of 1744 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 28 PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 30 PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 30 PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 30 PID 2024 wrote to memory of 948 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 30 PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 32 PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 32 PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 32 PID 2024 wrote to memory of 2008 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 32 PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 34 PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 34 PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 34 PID 2024 wrote to memory of 2000 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 34 PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 36 PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 36 PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 36 PID 2024 wrote to memory of 1316 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 36 PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 37 PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 37 PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 37 PID 2024 wrote to memory of 1680 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 37 PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 38 PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 38 PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 38 PID 2024 wrote to memory of 1884 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 38 PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 76 PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 76 PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 76 PID 2024 wrote to memory of 1016 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 76 PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 42 PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 42 PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 42 PID 2024 wrote to memory of 860 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 42 PID 1316 wrote to memory of 1432 1316 inerstelar.exe 53 PID 1316 wrote to memory of 1432 1316 inerstelar.exe 53 PID 1316 wrote to memory of 1432 1316 inerstelar.exe 53 PID 1316 wrote to memory of 1432 1316 inerstelar.exe 53 PID 1316 wrote to memory of 1904 1316 inerstelar.exe 52 PID 1316 wrote to memory of 1904 1316 inerstelar.exe 52 PID 1316 wrote to memory of 1904 1316 inerstelar.exe 52 PID 1316 wrote to memory of 1904 1316 inerstelar.exe 52 PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 45 PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 45 PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 45 PID 2024 wrote to memory of 1596 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 45 PID 1316 wrote to memory of 1572 1316 inerstelar.exe 50 PID 1316 wrote to memory of 1572 1316 inerstelar.exe 50 PID 1316 wrote to memory of 1572 1316 inerstelar.exe 50 PID 1316 wrote to memory of 1572 1316 inerstelar.exe 50 PID 1316 wrote to memory of 2044 1316 inerstelar.exe 49 PID 1316 wrote to memory of 2044 1316 inerstelar.exe 49 PID 1316 wrote to memory of 2044 1316 inerstelar.exe 49 PID 1316 wrote to memory of 2044 1316 inerstelar.exe 49 PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 54 PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 54 PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 54 PID 2024 wrote to memory of 2012 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 54 PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 95 PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 95 PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 95 PID 2024 wrote to memory of 904 2024 8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"C:\Users\Admin\AppData\Local\Temp\8a487b244c55599fed414d7a3e448f63a100cd49df9f5464688c9eddd6dbd382.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:1744
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
PID:2008
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"C:\Users\Admin\AppData\Local\Temp\inerstelar.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:1572
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1904
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\svnhost.exe"C:\Users\Admin\AppData\Local\Temp\svnhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1160 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:1544
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
PID:1496
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
PID:1300
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C systeminfo4⤵PID:856
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C netsh wlan show networks mode=bssid4⤵PID:1300
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵PID:2032
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:1680
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
PID:1016
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\key.exe"C:\Users\Admin\AppData\Local\Temp\key.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1596 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1612
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:288
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\keylog\mngrdevice.exe"3⤵
- Loads dropped DLL
PID:1960 -
C:\Windows\keylog\mngrdevice.exeC:\Windows\keylog\mngrdevice.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1616 -
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:1168
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off5⤵
- Modifies Windows Firewall
PID:1952
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable5⤵
- Modifies Windows Firewall
PID:2032
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2012
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off2⤵PID:904
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
PID:1876
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:440
-
-
C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"C:\Users\Admin\AppData\Local\Temp\rmsbuild.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1512
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:1920
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1712
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe -h off3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\System64\sysdisk.exe"C:\Windows\System64\sysdisk.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\System64\sysdisk.exeC:\Windows\System64\sysdisk.exe -second4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\System64\service.bat" "3⤵
- Loads dropped DLL
PID:952 -
C:\Windows\System64\winsystem.exewinsystem.exe /install /silent4⤵
- Executes dropped EXE
PID:856
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-37413531-1115838337787394631260271095-1399498577-1550575336-16586521101804196716"1⤵
- UAC bypass
PID:288
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- UAC bypass
PID:1920
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1179249605983682104-1119135658-75226695919307013912134044593-750440941-2093818915"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-313298714204795503-2093809785980915218-1295917972258122925-811576903835092896"1⤵
- UAC bypass
PID:1300
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-539312482-10954194241779308706-14704845521776876312-2855983688219138-1778331942"1⤵PID:1612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "20808106186806756-1242907773-1403845046-176882123820108127341860282369-1911956101"1⤵PID:1876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
Filesize
17.6MB
MD53c953c3b4bcb16d9bcadad3388e20711
SHA117576d534a1d00e57b711ade93b7c57a89e1b7ad
SHA256e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da
SHA51266e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
75B
MD53d8ae437e61d1bfa4d58eabc2050af96
SHA10d96b38ec1e6ad41920dbe82b461aa12b381ad19
SHA256b25eec1f9965466a9a32a139dd1728703833610049eb138684588d7cb2fa53b5
SHA512d558bf211cbb6bfc1533bca5f4ab342e6720b87d0c8e7d04a78018018a624b72eb21b7a3578cdf3782dfe48bda23fce468a754bc0978464c815c1dccb3918501
-
Filesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
Filesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
Filesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
Filesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
Filesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
Filesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
Filesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19
-
Filesize
1.3MB
MD5c39b8d8bd482b717ebdd17dcae374c9b
SHA1abe57f749650fdebbaa6792e3676294c20db6abe
SHA2560e8006f941ad484931369e96d4319e526e62c3e802b8917d2693074e2e0451af
SHA5122c9f749541b1fa7d9ff2e4f4182ec81824c71c7306e95cf84f93a5b21dbd0fba40f3e0bb10782742f3b84aaee928bac65f75d3226ecb44e41c27fc6219679667
-
Filesize
17.6MB
MD53c953c3b4bcb16d9bcadad3388e20711
SHA117576d534a1d00e57b711ade93b7c57a89e1b7ad
SHA256e8751e712a4539d6b74905370c99eaac8450ce1da5bd7fbd7ad85243b029a5da
SHA51266e639c137da983bd272f69c117c278fdece7255dd75b309897551e70964cc34bd4cbf36d51f79e73e343d72abe45661335fefefb95aac88fa3443ecf7535f1f
-
Filesize
349KB
MD589172a85c3b07bff7541720d42d31bc6
SHA14685df166f9a64d02c86d7966d4d3a7fa18b3106
SHA2569594efa47fa162756ad19c7fb7e7c7c09d97f505daf6280f6d9a130f76264350
SHA5121e9f56f89f5f57be88b95836626ffafe54e58a41cb7c1851bb1933ca056e2c8aaf08aa6e7509e0b22f358c727c554c2a7a7cbe7da3d13dd0c42f9084413b468c
-
Filesize
5.0MB
MD53afea909809bf8dc784a478de7488b21
SHA116ad26d1a5097f15dcfa96fec1f96b67c1a595c4
SHA25612c89d49a66732680df79d0cc6038f365bbc89bbd7c7345ec6090a5c85452928
SHA512efeafe133570dd8d52aaa5e185c07405b4518bd0264b431a54eac795ddb70968fa6bd04232e9e6b86ddc238540d86027f7d1d6c3ba045a7ddca31b20f3f8fb2d
-
Filesize
9.0MB
MD592aee365c9fab710fa68b362e5910264
SHA1a145a246311bed3c4c5e14332618795a189e13a4
SHA2560d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713
SHA5126c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9
-
Filesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
Filesize
685KB
MD5d01414473916d6597cc43c82cf049b76
SHA11dbbc71286fc535d1c91c57b9641869545dfa3c9
SHA256fc82a64c3a7b65325b7c6fed745d7ac2875972d37cc04bd511af1b117acd56ad
SHA5125def729d5ed86b60215df4fcccd185ca08737fcf1d15a4dd45ab773fa9863a800d97cc50cd1bddaa54e63b9530a46d68845f97fa7adfa543efe65b4eaadc1d7b
-
Filesize
6.0MB
MD51917fa3536d6eb098105b5a3e7f89a37
SHA1defeddab06cb646c8cf837ebaf3f512872cd745c
SHA2566dd19c1d7f3716ba8ffb3896a7d5f7515d1cd87e1c34c61a187717ae432477c7
SHA512954a0dc59e3ab28abe3f2730bc0e1fec3dbc6afc23279863592e34ea923e76d1dfaf615ba6b78381ede1445c4a919f436c7953ddcf3a2cefeca1a459d94d2d19