525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa

Analysis

max time kernel
7s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
Size

234KB
MD5

3aae128264c5973216c30051365b2fe0
SHA1

3b819490d849419960b078d463c134fb378cc6cb
SHA256

525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa
SHA512

ced7a81c87cd470c44a70558b8334e59b06bbcaeab47e01501c6b2a752f1a6794bb3600282c83900248f94766e900b759e12ea21462d2fb7c517e827e794bc89
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSI:2n8dI3b7ETtKKepymejF5aeDUGNoSI

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2020	SkipeTurns.exe
1216	SkipeTurns.exe
1552	SkipeTurns.exe
1620	SkipeTurns.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-57-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1528-59-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1528-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/952-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1528-66-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/952-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1528-68-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/952-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/952-73-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1456-75-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/952-74-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1528-80-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/952-82-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1528-81-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x0008000000005c51-85.dat	upx
behavioral1/files/0x0008000000005c51-86.dat	upx
behavioral1/files/0x0008000000005c51-87.dat	upx
behavioral1/files/0x0008000000005c51-88.dat	upx
behavioral1/files/0x0008000000005c51-89.dat	upx
behavioral1/files/0x0008000000005c51-91.dat	upx
behavioral1/files/0x0008000000005c51-94.dat	upx
behavioral1/files/0x0008000000005c51-101.dat	upx
behavioral1/files/0x0008000000005c51-114.dat	upx
behavioral1/memory/1620-117-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1620-119-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x0008000000005c51-124.dat	upx
behavioral1/memory/1620-120-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/2020-127-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1620-126-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1620-129-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1216-128-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/952-130-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1620-136-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1528-144-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1216-145-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-146-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 set thread context of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 2020 set thread context of 1216	2020	SkipeTurns.exe	31
PID 2020 set thread context of 1552	2020	SkipeTurns.exe	32
PID 2020 set thread context of 1620	2020	SkipeTurns.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
844	ipconfig.exe
240	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2012	reg.exe
1564	reg.exe
2016	reg.exe
1512	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1620	SkipeTurns.exe
Token: SeCreateTokenPrivilege	1620	SkipeTurns.exe
Token: SeAssignPrimaryTokenPrivilege	1620	SkipeTurns.exe
Token: SeLockMemoryPrivilege	1620	SkipeTurns.exe
Token: SeIncreaseQuotaPrivilege	1620	SkipeTurns.exe
Token: SeMachineAccountPrivilege	1620	SkipeTurns.exe
Token: SeTcbPrivilege	1620	SkipeTurns.exe
Token: SeSecurityPrivilege	1620	SkipeTurns.exe
Token: SeTakeOwnershipPrivilege	1620	SkipeTurns.exe
Token: SeLoadDriverPrivilege	1620	SkipeTurns.exe
Token: SeSystemProfilePrivilege	1620	SkipeTurns.exe
Token: SeSystemtimePrivilege	1620	SkipeTurns.exe
Token: SeProfSingleProcessPrivilege	1620	SkipeTurns.exe
Token: SeIncBasePriorityPrivilege	1620	SkipeTurns.exe
Token: SeCreatePagefilePrivilege	1620	SkipeTurns.exe
Token: SeCreatePermanentPrivilege	1620	SkipeTurns.exe
Token: SeBackupPrivilege	1620	SkipeTurns.exe
Token: SeRestorePrivilege	1620	SkipeTurns.exe
Token: SeShutdownPrivilege	1620	SkipeTurns.exe
Token: SeDebugPrivilege	1620	SkipeTurns.exe
Token: SeAuditPrivilege	1620	SkipeTurns.exe
Token: SeSystemEnvironmentPrivilege	1620	SkipeTurns.exe
Token: SeChangeNotifyPrivilege	1620	SkipeTurns.exe
Token: SeRemoteShutdownPrivilege	1620	SkipeTurns.exe
Token: SeUndockPrivilege	1620	SkipeTurns.exe
Token: SeSyncAgentPrivilege	1620	SkipeTurns.exe
Token: SeEnableDelegationPrivilege	1620	SkipeTurns.exe
Token: SeManageVolumePrivilege	1620	SkipeTurns.exe
Token: SeImpersonatePrivilege	1620	SkipeTurns.exe
Token: SeCreateGlobalPrivilege	1620	SkipeTurns.exe
Token: 31	1620	SkipeTurns.exe
Token: 32	1620	SkipeTurns.exe
Token: 33	1620	SkipeTurns.exe
Token: 34	1620	SkipeTurns.exe
Token: 35	1620	SkipeTurns.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
2020	SkipeTurns.exe
1216	SkipeTurns.exe
1620	SkipeTurns.exe
1620	SkipeTurns.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 1528	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	26
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1456 wrote to memory of 952	1456	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	27
PID 1528 wrote to memory of 844	1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	28
PID 1528 wrote to memory of 844	1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	28
PID 1528 wrote to memory of 844	1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	28
PID 1528 wrote to memory of 844	1528	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	28
PID 952 wrote to memory of 2020	952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	30
PID 952 wrote to memory of 2020	952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	30
PID 952 wrote to memory of 2020	952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	30
PID 952 wrote to memory of 2020	952	525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe	30
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1216	2020	SkipeTurns.exe	31
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 2020 wrote to memory of 1552	2020	SkipeTurns.exe	32
PID 1216 wrote to memory of 240	1216	SkipeTurns.exe	33
PID 1216 wrote to memory of 240	1216	SkipeTurns.exe	33
PID 1216 wrote to memory of 240	1216	SkipeTurns.exe	33
PID 1216 wrote to memory of 240	1216	SkipeTurns.exe	33
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34
PID 2020 wrote to memory of 1620	2020	SkipeTurns.exe	34

C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
"C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
  "C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:844
- C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe
  "C:\Users\Admin\AppData\Local\Temp\525b4ed8f4c5b4d8103df42db71d1d194646b33131f2f1fc8f50671cda6abeaa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:240
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      PID:1552
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1000
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:2016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1708
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
58d7238496a160c8a390a630ea19d8b6

SHA1
755649de223ab03c2a5d543ec7ed29f65c014c32

SHA256
a6a6503c26513bb6375dfa8ffc5ddd0f8ace9af934e571494a5119f7450d0eed

SHA512
9ad05a212e39d549fe81ad594e9c9dc574642b58f9ea2d07b7c666b1a2a78be7f205cb74e2530c3967434f21deeb88d783005f1d60354b87c4f20a0ffaf7e579

Download Submit
memory/844-83-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/952-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-122-0x0000000002C50000-0x0000000002D2F000-memory.dmp

Filesize
892KB

Download
memory/952-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-130-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1216-145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1216-128-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1456-75-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1528-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1528-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-119-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1620-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2020-127-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download