1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
Size

646KB
MD5

016cc5c921eb0d1101395025d7c0c505
SHA1

98b47c84aea06e1443c396eb1b7d33e331ca6749
SHA256

1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b
SHA512

31d4bdba2d2ca5c7ba12b8e4db1c9d8ba9bb4ce600aa1c84968f85186f0b44eea74f7c606e620f70137498c9f018102094a8f216eb9bb18b1040064a085aec5c
SSDEEP

12288:k/dr9yql7Xa+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNKyUdMONUzeosyu4M

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	g6NuH2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tieepik.exe

Executes dropped EXE 7 IoCs

pid	Process
1760	g6NuH2.exe
4192	tieepik.exe
4596	adhost.exe
4804	adhost.exe
4384	bdhost.exe
1712	cdhost.exe
3788	ddhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3008-133-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3008-134-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3008-137-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3008-138-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3008-141-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3008-157-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	g6NuH2.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /x"	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /x"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /l"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /O"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /S"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /Y"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /y"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /R"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /p"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /b"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /T"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /k"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /a"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /L"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /w"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /Z"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /V"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /I"	tieepik.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	g6NuH2.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /G"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /D"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /i"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /u"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /f"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /v"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /m"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /j"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /U"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /H"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /z"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /X"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /P"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /W"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /e"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /g"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /n"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /d"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /o"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /B"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /c"	tieepik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tieepik = "C:\\Users\\Admin\\tieepik.exe /M"	tieepik.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 4596 set thread context of 4804	4596	adhost.exe	111
PID 1712 set thread context of 1480	1712	cdhost.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3992	4384	WerFault.exe	112
2692	1480	WerFault.exe	117

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3292	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	g6NuH2.exe
1760	g6NuH2.exe
1760	g6NuH2.exe
1760	g6NuH2.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe
4192	tieepik.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3292	tasklist.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
1760	g6NuH2.exe
4192	tieepik.exe
3788	ddhost.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3140 wrote to memory of 3008	3140	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	104
PID 3008 wrote to memory of 1760	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	105
PID 3008 wrote to memory of 1760	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	105
PID 3008 wrote to memory of 1760	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	105
PID 1760 wrote to memory of 4192	1760	g6NuH2.exe	106
PID 1760 wrote to memory of 4192	1760	g6NuH2.exe	106
PID 1760 wrote to memory of 4192	1760	g6NuH2.exe	106
PID 1760 wrote to memory of 1156	1760	g6NuH2.exe	107
PID 1760 wrote to memory of 1156	1760	g6NuH2.exe	107
PID 1760 wrote to memory of 1156	1760	g6NuH2.exe	107
PID 1156 wrote to memory of 3292	1156	cmd.exe	109
PID 1156 wrote to memory of 3292	1156	cmd.exe	109
PID 1156 wrote to memory of 3292	1156	cmd.exe	109
PID 3008 wrote to memory of 4596	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	110
PID 3008 wrote to memory of 4596	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	110
PID 3008 wrote to memory of 4596	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	110
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 4596 wrote to memory of 4804	4596	adhost.exe	111
PID 3008 wrote to memory of 4384	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	112
PID 3008 wrote to memory of 4384	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	112
PID 3008 wrote to memory of 4384	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	112
PID 3008 wrote to memory of 1712	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	116
PID 3008 wrote to memory of 1712	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	116
PID 3008 wrote to memory of 1712	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	116
PID 1712 wrote to memory of 1480	1712	cdhost.exe	117
PID 1712 wrote to memory of 1480	1712	cdhost.exe	117
PID 1712 wrote to memory of 1480	1712	cdhost.exe	117
PID 3008 wrote to memory of 3788	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	120
PID 3008 wrote to memory of 3788	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	120
PID 3008 wrote to memory of 3788	3008	1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe	120

C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
"C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
  1d84e8f21ed6460ddd8a69811d481eed48d27c5dc934c63d22f5f6d8167c130b.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\g6NuH2.exe
    C:\Users\Admin\g6NuH2.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\tieepik.exe
      "C:\Users\Admin\tieepik.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
- - C:\Users\Admin\adhost.exe
    C:\Users\Admin\adhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\adhost.exe
      adhost.exe
      4⤵
      Executes dropped EXE
      PID:4804
- - C:\Users\Admin\bdhost.exe
    C:\Users\Admin\bdhost.exe
    3⤵
    - Executes dropped EXE
    PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 332
      4⤵
      Program crash
      PID:3992
- - C:\Users\Admin\cdhost.exe
    C:\Users\Admin\cdhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\explorer.exe
      00000120*
      4⤵
      PID:1480
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1480 -s 124
        5⤵
        Program crash
        
        PID:2692
- - C:\Users\Admin\ddhost.exe
    C:\Users\Admin\ddhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 4384
1⤵
PID:4288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1480 -ip 1480
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\cdhost.exe

Filesize
118KB

MD5
4abe6afa1ff995b70ef6511c1f0567ae

SHA1
80935a41582e0fb168c37d2960dce974cab5f0ab

SHA256
fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

SHA512
bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

Download Submit
C:\Users\Admin\cdhost.exe

Filesize
118KB

MD5
4abe6afa1ff995b70ef6511c1f0567ae

SHA1
80935a41582e0fb168c37d2960dce974cab5f0ab

SHA256
fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

SHA512
bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

Download Submit
C:\Users\Admin\ddhost.exe

Filesize
24KB

MD5
71aecf19a1aec54e3d2c63f945cc6956

SHA1
12213f95739e45881458a7bbb429a0b7b363ccbf

SHA256
c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

SHA512
a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

Download Submit
C:\Users\Admin\ddhost.exe

Filesize
24KB

MD5
71aecf19a1aec54e3d2c63f945cc6956

SHA1
12213f95739e45881458a7bbb429a0b7b363ccbf

SHA256
c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

SHA512
a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\tieepik.exe

Filesize
256KB

MD5
913bab7a12aadb31f837376412c2f6ef

SHA1
4f085d968e4acd95afa8d33e857c30633a1dc4fd

SHA256
318fb178255ea663523253216ad0aa58097d003a85c7000c112cda00fd582b14

SHA512
d1d303c37d025a197c242e96ec5915a3ca1038e4b6bffd5fd339bc3d3214d9a65a2553a9b5026a5b247a7fa6cefef75b9f940d9963284939c4d271e8d88ea0e5

Download Submit
C:\Users\Admin\tieepik.exe

Filesize
256KB

MD5
913bab7a12aadb31f837376412c2f6ef

SHA1
4f085d968e4acd95afa8d33e857c30633a1dc4fd

SHA256
318fb178255ea663523253216ad0aa58097d003a85c7000c112cda00fd582b14

SHA512
d1d303c37d025a197c242e96ec5915a3ca1038e4b6bffd5fd339bc3d3214d9a65a2553a9b5026a5b247a7fa6cefef75b9f940d9963284939c4d271e8d88ea0e5

Download Submit
memory/1480-177-0x0000000000E90000-0x0000000000EA6000-memory.dmp

Filesize
88KB

Download
memory/1712-176-0x0000000002020000-0x000000000203B000-memory.dmp

Filesize
108KB

Download
memory/1712-173-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1712-175-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3008-134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-157-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-137-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-133-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-141-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3008-138-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4804-166-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4804-163-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4804-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4804-161-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4804-160-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4804-159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download