77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5

Analysis

max time kernel
112s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Size

277KB
MD5

9029e0ea85ca6a8dbcf395647858ae5e
SHA1

8c212f137d78ee314d28df0551bc64e99757bf64
SHA256

77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5
SHA512

2915a9dc9a88b01caf54de47e7a9d07c59583aae7266a782c983f9a78f202c522339a17dc2e0f7328bca167a12e4aabd1f3a763a5ea1a753695e857c85db5ddd
SSDEEP

6144:g+1QlJF9EW9B1zucjpfwEzeAWc/r9AwGNkVsuaRaU6mHGU:gUMwseGpi0aRz6mHGU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	services.exe
224	services.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	services.exe

Loads dropped DLL 5 IoCs

pid	Process
1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
2176	services.exe
3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
224	services.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MessengerPlus	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MessengerPlus	services.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.exe	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.ini	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.exe	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\services.ini	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	services.exe
File opened for modification	C:\Windows\system\services.exe	services.exe
File opened for modification	C:\Windows\system\services.ini	services.exe
File opened for modification	C:\Windows\system\MSWINSCK.OCX	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\system\\MSWINSCK.OCX, 1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\system\\MSWINSCK.OCX"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\system\\MSWINSCK.OCX"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
2176	services.exe
3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
224	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2176	1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	83
PID 1120 wrote to memory of 2176	1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	83
PID 1120 wrote to memory of 2176	1120	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	83
PID 2176 wrote to memory of 3336	2176	services.exe	84
PID 2176 wrote to memory of 3336	2176	services.exe	84
PID 2176 wrote to memory of 3336	2176	services.exe	84
PID 3336 wrote to memory of 224	3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	85
PID 3336 wrote to memory of 224	3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	85
PID 3336 wrote to memory of 224	3336	77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe	85

C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
"C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\system\services.exe
  "C:\Windows\system\services.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe
    "C:\Users\Admin\AppData\Local\Temp\77ed04861699a6d4b331d48339cac5c217c597a549e5cb40b7d0af45e4c549a5.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system\services.exe
      "C:\Windows\system\services.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\System\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\System\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\System\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\System\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\System\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\System\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\system\MSWINSCK.OCX

Filesize
121KB

MD5
06a9cdfe44e4c18590ee9c7f61222516

SHA1
46a86da27b781b039e6a434f990a899d1e7022ac

SHA256
f58787f71f00910d40f58ff1ed9b9e627bc52e074261f628b996d4cc69ec144c

SHA512
e3ed9735555fd6386a85245bc8bb6da49d6fd9614b91a8e7975325348d2232d7e13fceb16c500e75e92da62f017149711665ceb961a5f78f80a8c6e28f3ba6f7

Download Submit
C:\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\system\services.exe

Filesize
278KB

MD5
9f418a7b388c384b2ebe1dd3ee78b575

SHA1
c6ed2d0d6a3ca75fb3fef44dcfa08cb9a2f1ea8a

SHA256
e38c6474075540c09392be7dfe31ee8622daf2534139d6d9d1a08c8224db5efb

SHA512
3e7477e00b2efcaf0decce7653a7620df06a92f0bf201089940abbfea5f4027cc920db98e51b4ab8970b7d36b22320e1313c643f39c8e28869f41a22adae7da6

Download Submit
C:\Windows\system\services.ini

Filesize
102B

MD5
548bc20812a0cdcfa4a861232a9b4017

SHA1
a58180d21b859715fb42a6a489ac1ce57211cb3c

SHA256
66c7eded72b0d265144f43620a4ad8837ca0a43a3306c95ec7e662c90a13f35b

SHA512
23388083dfd84adc13d2505313dff598b172732aa532df11690881741bbd6551c1540c1d4eb19805c10e98ef271a7551996ae7ca86c97df85981f45be92ad3fa

Download Submit
C:\Windows\system\services.ini

Filesize
102B

MD5
548bc20812a0cdcfa4a861232a9b4017

SHA1
a58180d21b859715fb42a6a489ac1ce57211cb3c

SHA256
66c7eded72b0d265144f43620a4ad8837ca0a43a3306c95ec7e662c90a13f35b

SHA512
23388083dfd84adc13d2505313dff598b172732aa532df11690881741bbd6551c1540c1d4eb19805c10e98ef271a7551996ae7ca86c97df85981f45be92ad3fa

Download Submit
C:\spysilici.bat

Filesize
88B

MD5
92bb45e44e75f94c8b586d8149eb41fc

SHA1
158c6ec92ab009ef40febcefd0e602f89cf722db

SHA256
4c7364a9111b7fc49e1a5a93b0e7022f9c6cc783c59063136d0d921571285f44

SHA512
0510ee2f301e3cd3155e024e4c5684b80d40fe055bb8be21638fc3ad8dfb37d4af7803fdafdef11de3c20ca758a634847a19a5cb7dcdcef09e29737dbe8ee59c

Download Submit
memory/224-161-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/224-163-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1120-143-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1120-132-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2176-151-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3336-152-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3336-157-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download