94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03

Analysis

max time kernel
156s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 13:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe
Size

325KB
MD5

44d8e5a0c5b29fc1c62aeebf7c173b03
SHA1

03dad55dba7d19786ec78f7d8bcd72a4e5b04c89
SHA256

94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03
SHA512

3f88401ba40bfd62a8ca864d2bc49eaa26e02706f124099115f58fe82b88bf70cb8a87a540375a62d643a4bd7e4c3ad842c53ed83acc21d777e3681d49a3eda3
SSDEEP

6144:3BR0yfRkQ9OeZosdRnvDgCXdmV/RwokYutQbd40jcw1hdrqVvL6KL2qcdN0uq8AO:bfRkcosdtnNEwopIQZ4CHndrqVvLxL2l

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	looecad.exe

Executes dropped EXE 5 IoCs

pid	Process
4848	ljSOguR.exe
3724	looecad.exe
2124	moon1.exe
3340	moon2.exe
4040	moon3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2492-150-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2492-152-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2492-153-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2492-156-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	moon2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ljSOguR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	moon1.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /b"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /O"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /J"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /E"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /x"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /c"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /y"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /Y"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /N"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /K"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /L"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /l"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /h"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /Q"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /R"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /j"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /g"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /X"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /i"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /d"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /f"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /T"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /a"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /m"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /q"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /W"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /e"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /U"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /Z"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /k"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /A"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /G"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /F"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /p"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /P"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /r"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /z"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /n"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /V"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /t"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /v"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /o"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /S"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /s"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /D"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /M"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /I"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /C"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /u"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /B"	looecad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\looecad = "C:\\Users\\Admin\\looecad.exe /H"	looecad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2492	2124	moon1.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1012	4040	WerFault.exe	96

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3916	tasklist.exe
988	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	ljSOguR.exe
4848	ljSOguR.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	moon2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	tasklist.exe
Token: SeDebugPrivilege	988	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4848	ljSOguR.exe
3724	looecad.exe
2124	moon1.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4848	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	79
PID 768 wrote to memory of 4848	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	79
PID 768 wrote to memory of 4848	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	79
PID 4848 wrote to memory of 3724	4848	ljSOguR.exe	83
PID 4848 wrote to memory of 3724	4848	ljSOguR.exe	83
PID 4848 wrote to memory of 3724	4848	ljSOguR.exe	83
PID 4848 wrote to memory of 1520	4848	ljSOguR.exe	84
PID 4848 wrote to memory of 1520	4848	ljSOguR.exe	84
PID 4848 wrote to memory of 1520	4848	ljSOguR.exe	84
PID 768 wrote to memory of 2124	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	86
PID 768 wrote to memory of 2124	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	86
PID 768 wrote to memory of 2124	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	86
PID 1520 wrote to memory of 3916	1520	cmd.exe	87
PID 1520 wrote to memory of 3916	1520	cmd.exe	87
PID 1520 wrote to memory of 3916	1520	cmd.exe	87
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 2492	2124	moon1.exe	88
PID 2124 wrote to memory of 1716	2124	moon1.exe	89
PID 2124 wrote to memory of 1716	2124	moon1.exe	89
PID 2124 wrote to memory of 1716	2124	moon1.exe	89
PID 768 wrote to memory of 3340	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	91
PID 768 wrote to memory of 3340	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	91
PID 768 wrote to memory of 3340	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	91
PID 1716 wrote to memory of 988	1716	cmd.exe	92
PID 1716 wrote to memory of 988	1716	cmd.exe	92
PID 1716 wrote to memory of 988	1716	cmd.exe	92
PID 3340 wrote to memory of 4696	3340	moon2.exe	94
PID 3340 wrote to memory of 4696	3340	moon2.exe	94
PID 3340 wrote to memory of 4696	3340	moon2.exe	94
PID 768 wrote to memory of 4040	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	96
PID 768 wrote to memory of 4040	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	96
PID 768 wrote to memory of 4040	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	96
PID 768 wrote to memory of 3284	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	103
PID 768 wrote to memory of 3284	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	103
PID 768 wrote to memory of 3284	768	94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe	103

C:\Users\Admin\AppData\Local\Temp\94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe
"C:\Users\Admin\AppData\Local\Temp\94e23605959426d0885adeb368cc915d97e621111f70876f03934997de2c5e03.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\ljSOguR.exe
  "C:\Users\Admin\ljSOguR.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\looecad.exe
    "C:\Users\Admin\looecad.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del ljSOguR.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3916
- C:\Users\Admin\moon1.exe
  "C:\Users\Admin\moon1.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del moon1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:988
- C:\Users\Admin\moon2.exe
  "C:\Users\Admin\moon2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Tsz..bat" > nul 2> nul
    3⤵
    PID:4696
- C:\Users\Admin\moon3.exe
  "C:\Users\Admin\moon3.exe"
  2⤵
  - Executes dropped EXE
  PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 280
    3⤵
    - Program crash
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4040 -ip 4040
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
da690640a83690b0913dba8da42fd2db

SHA1
fe680a904391c5be1a3d12eea224fd56a8ed6db8

SHA256
def5c6d325d93f182bf729e009005df3a3878300f4d3443efe6e66d0f1332958

SHA512
71f9baf8150df1dc419d619be92098bf9ff5a1da8b2643499814e0c7a09fda6b206ea124b9be4f8752b67805128a1d1a0c82ceaf189a385e063f67a30bcdbce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsz..bat

Filesize
118B

MD5
5319f77880a1b442beb0c630c4824fe0

SHA1
d9c62cc9420d9da2eed593c0a1c346376362de0f

SHA256
c5215903ac258bcd80902fd7c79c9d9d3ff277a997a93f4ff0b8cde6dfdeda22

SHA512
af21cf80547b3a0f919fb92f4e41a9fa4fcfe714ecaf5657c9cfd3085b782db71cbc95414e2098f8263d2bfa1eaa6d711971dd158d5c6d9e650b2d5a7de1669b

Download Submit
C:\Users\Admin\ljSOguR.exe

Filesize
232KB

MD5
ef67b3b8479fb80399139cf7ffc61155

SHA1
2771fd55bf2f20100a95b58b5bdf2dd265a14688

SHA256
7c5cb5323bae5eb2f44324db5ae389510ceb198c090a0b1254aa5a9a967e2937

SHA512
b19c48db8df72d8ed1254a0e07506023d475e1ea64473c6b273a0ad79990c04497c0d74af9959cef81c6afeb257501a0953b1c702f7f14ee81e8296a983ea943

Download Submit
C:\Users\Admin\ljSOguR.exe

Filesize
232KB

MD5
ef67b3b8479fb80399139cf7ffc61155

SHA1
2771fd55bf2f20100a95b58b5bdf2dd265a14688

SHA256
7c5cb5323bae5eb2f44324db5ae389510ceb198c090a0b1254aa5a9a967e2937

SHA512
b19c48db8df72d8ed1254a0e07506023d475e1ea64473c6b273a0ad79990c04497c0d74af9959cef81c6afeb257501a0953b1c702f7f14ee81e8296a983ea943

Download Submit
C:\Users\Admin\looecad.exe

Filesize
232KB

MD5
31db141372e4cb9ebf8a8b9a6551fe2e

SHA1
dd27002430c637c8f9069694160440e970394849

SHA256
284d9cf1f22915d63300312df519d19a2acb51678e9f16c8bac65b17fb23931e

SHA512
c5f4a42370dbf5901e8fe36459e96d2f19911e247812ffe13a7d35ae4735e45e8942a5d1bd77405e0cf7c96a872717903dedb16866d8d5cb33e570b5a3e477a5

Download Submit
C:\Users\Admin\looecad.exe

Filesize
232KB

MD5
31db141372e4cb9ebf8a8b9a6551fe2e

SHA1
dd27002430c637c8f9069694160440e970394849

SHA256
284d9cf1f22915d63300312df519d19a2acb51678e9f16c8bac65b17fb23931e

SHA512
c5f4a42370dbf5901e8fe36459e96d2f19911e247812ffe13a7d35ae4735e45e8942a5d1bd77405e0cf7c96a872717903dedb16866d8d5cb33e570b5a3e477a5

Download Submit
C:\Users\Admin\moon1.exe

Filesize
84KB

MD5
6350fd271f08082f04d42541b289042e

SHA1
6abe4a0f1837412a0f898db21688793a42298f2a

SHA256
15bbd563fe4ccc4c66a69e31f8dfc2ec02724cf90ed090468b7161f40931fa5a

SHA512
cca99b639fc131b7cf53e48a8bb6062ba9a8cb1e7626c6a1bcc1144d6159c206d3d9fb16a8f9ea70ba53bcea665ce412d1de0e7bd558898dabe35352783db402

Download Submit
C:\Users\Admin\moon1.exe

Filesize
84KB

MD5
6350fd271f08082f04d42541b289042e

SHA1
6abe4a0f1837412a0f898db21688793a42298f2a

SHA256
15bbd563fe4ccc4c66a69e31f8dfc2ec02724cf90ed090468b7161f40931fa5a

SHA512
cca99b639fc131b7cf53e48a8bb6062ba9a8cb1e7626c6a1bcc1144d6159c206d3d9fb16a8f9ea70ba53bcea665ce412d1de0e7bd558898dabe35352783db402

Download Submit
C:\Users\Admin\moon2.exe

Filesize
64KB

MD5
112f2d2ae1e4cac9b23f6f152fde18a9

SHA1
5edca1306508d7640aece4d20c6bbb728939a2e6

SHA256
d51587a7b9d12ab6a66d5627bdd9da34d4d9e37d157da7b4e6b3512e1214af36

SHA512
c587167e8da0efe0cf7f9bf0c4f0e256d39c566381ae683c7e9845d58c07b5ae7acd6110416e644d8e6f7a9e54edc531ac41cee7c37574b7da4202046bad6726

Download Submit
C:\Users\Admin\moon2.exe

Filesize
64KB

MD5
112f2d2ae1e4cac9b23f6f152fde18a9

SHA1
5edca1306508d7640aece4d20c6bbb728939a2e6

SHA256
d51587a7b9d12ab6a66d5627bdd9da34d4d9e37d157da7b4e6b3512e1214af36

SHA512
c587167e8da0efe0cf7f9bf0c4f0e256d39c566381ae683c7e9845d58c07b5ae7acd6110416e644d8e6f7a9e54edc531ac41cee7c37574b7da4202046bad6726

Download Submit
C:\Users\Admin\moon3.exe

Filesize
123KB

MD5
2b107c2c578aa5ac9f7dc1dfba173345

SHA1
06f840387114f127471fe36ba96cdc19422e3f71

SHA256
a1f9c215bb448927792bd8cb10fe23e358ed60d49a3c5575960395b6093886b2

SHA512
646b4aa868d10fe4ec1fda897523d235c3c473aa4157774310c52affd754a9ca49929a9fba88a43d2ac49a93fb46f76921ed77e9384944c5bfb3bd29e6880e61

Download Submit
C:\Users\Admin\moon3.exe

Filesize
123KB

MD5
2b107c2c578aa5ac9f7dc1dfba173345

SHA1
06f840387114f127471fe36ba96cdc19422e3f71

SHA256
a1f9c215bb448927792bd8cb10fe23e358ed60d49a3c5575960395b6093886b2

SHA512
646b4aa868d10fe4ec1fda897523d235c3c473aa4157774310c52affd754a9ca49929a9fba88a43d2ac49a93fb46f76921ed77e9384944c5bfb3bd29e6880e61

Download Submit
memory/2492-153-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2492-150-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2492-156-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2492-152-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3340-160-0x0000000000590000-0x00000000005B6000-memory.dmp

Filesize
152KB

Download
memory/3340-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3340-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download