77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5

Analysis

max time kernel
23s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Size

277KB
MD5

9029e0ea85ca6a8dbcf395647858ae5e
SHA1

8c212f137d78ee314d28df0551bc64e99757bf64
SHA256

77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5
SHA512

2915a9dc9a88b01caf54de47e7a9d07c59583aae7266a782c983f9a78f202c522339a17dc2e0f7328bca167a12e4aabd1f3a763a5ea1a753695e857c85db5ddd
SSDEEP

6144:g+1QlJF9EW9B1zucjpfwEzeAWc/r9AwGNkVsuaRaU6mHGU:gUMwseGpi0aRz6mHGU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	services.exe

Deletes itself 1 IoCs

pid	Process
2040	services.exe

Loads dropped DLL 6 IoCs

pid	Process
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MessengerPlus	services.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.exe	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.ini	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\system\\MSWINSCK.OCX"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\system\\MSWINSCK.OCX"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\system\\MSWINSCK.OCX, 1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
2040	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2040	1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	28
PID 1744 wrote to memory of 2040	1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	28
PID 1744 wrote to memory of 2040	1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	28
PID 1744 wrote to memory of 2040	1744	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	28

C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
"C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system\services.exe
  "C:\Windows\system\services.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\system\services.ini

Filesize
102B

MD5
548bc20812a0cdcfa4a861232a9b4017

SHA1
a58180d21b859715fb42a6a489ac1ce57211cb3c

SHA256
66c7eded72b0d265144f43620a4ad8837ca0a43a3306c95ec7e662c90a13f35b

SHA512
23388083dfd84adc13d2505313dff598b172732aa532df11690881741bbd6551c1540c1d4eb19805c10e98ef271a7551996ae7ca86c97df85981f45be92ad3fa

Download Submit
\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
memory/1744-66-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1744-68-0x0000000002570000-0x000000000257D000-memory.dmp

Filesize
52KB

Download
memory/1744-56-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1744-61-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2040-73-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2040-75-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download