ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Size

463KB
MD5

069a5e2553ead6f554b1199b85352890
SHA1

716e7dc313dc492083cb00b5765798da72a93016
SHA256

ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898
SHA512

7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c
SSDEEP

12288:2yVclvVDlr2TXnhVMp0qAW1w+yc3WaLGzgXE61JR7:1VclhdKXnhVMpkEyc3WaB06

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4048	update.exe
208	update.exe
1152	update.exe
3880	update.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3736-158-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-161-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-159-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-167-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-169-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-171-0x0000000001610000-0x000000000171F000-memory.dmp	upx
behavioral2/memory/3736-172-0x0000000001610000-0x000000000171F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowns\\update.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowns\\update.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowns\\update.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	update.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowns\\update.exe"	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowns\\update.exe"	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowns\\update.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowns\\update.exe"	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowns\\update.exe"	update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windowns\\update.exe"	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windowns\\update.exe"	update.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 4048 set thread context of 1152	4048	update.exe	103
PID 208 set thread context of 3880	208	update.exe	105
PID 1152 set thread context of 3736	1152	update.exe	104

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windowns\update.exe	update.exe
File opened for modification	C:\Windows\windowns\	update.exe
File opened for modification	C:\Windows\windowns\update.exe	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
File created	C:\Windows\windowns\update.exe	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
File opened for modification	C:\Windows\windowns\	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
File opened for modification	C:\Windows\windowns\update.exe	update.exe
File opened for modification	C:\Windows\windowns\	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	svchost.exe
3736	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
4048	update.exe
4048	update.exe
208	update.exe
208	update.exe
3736	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 3184 wrote to memory of 5020	3184	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	82
PID 5020 wrote to memory of 4816	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	83
PID 5020 wrote to memory of 4816	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	83
PID 5020 wrote to memory of 4816	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	83
PID 5020 wrote to memory of 4816	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	83
PID 5020 wrote to memory of 3668	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	84
PID 5020 wrote to memory of 3668	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	84
PID 5020 wrote to memory of 3668	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	84
PID 5020 wrote to memory of 4356	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	85
PID 5020 wrote to memory of 4356	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	85
PID 5020 wrote to memory of 4356	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	85
PID 5020 wrote to memory of 1224	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	86
PID 5020 wrote to memory of 1224	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	86
PID 5020 wrote to memory of 1224	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	86
PID 5020 wrote to memory of 1664	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	87
PID 5020 wrote to memory of 1664	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	87
PID 5020 wrote to memory of 1664	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	87
PID 5020 wrote to memory of 3636	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	88
PID 5020 wrote to memory of 3636	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	88
PID 5020 wrote to memory of 3636	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	88
PID 5020 wrote to memory of 4752	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	89
PID 5020 wrote to memory of 4752	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	89
PID 5020 wrote to memory of 4752	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	89
PID 5020 wrote to memory of 2276	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	90
PID 5020 wrote to memory of 2276	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	90
PID 5020 wrote to memory of 2276	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	90
PID 5020 wrote to memory of 3124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	91
PID 5020 wrote to memory of 3124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	91
PID 5020 wrote to memory of 3124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	91
PID 5020 wrote to memory of 4124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	92
PID 5020 wrote to memory of 4124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	92
PID 5020 wrote to memory of 4124	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	92
PID 5020 wrote to memory of 4220	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	93
PID 5020 wrote to memory of 4220	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	93
PID 5020 wrote to memory of 4220	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	93
PID 5020 wrote to memory of 1444	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	94
PID 5020 wrote to memory of 1444	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	94
PID 5020 wrote to memory of 1444	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	94
PID 5020 wrote to memory of 3004	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	95
PID 5020 wrote to memory of 3004	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	95
PID 5020 wrote to memory of 3004	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	95
PID 5020 wrote to memory of 1508	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	96
PID 5020 wrote to memory of 1508	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	96
PID 5020 wrote to memory of 1508	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	96
PID 5020 wrote to memory of 1456	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	97
PID 5020 wrote to memory of 1456	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	97
PID 5020 wrote to memory of 1456	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	97
PID 5020 wrote to memory of 2556	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	98
PID 5020 wrote to memory of 2556	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	98
PID 5020 wrote to memory of 2556	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	98
PID 5020 wrote to memory of 2988	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	99
PID 5020 wrote to memory of 2988	5020	ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe	99

C:\Users\Admin\AppData\Local\Temp\ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
"C:\Users\Admin\AppData\Local\Temp\ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe
  "C:\Users\Admin\AppData\Local\Temp\ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry class
    PID:4816
  - - C:\Windows\windowns\update.exe
      "C:\Windows\windowns\update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:208
    - - C:\Windows\windowns\update.exe
        
        "C:\Windows\windowns\update.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        
        PID:3880
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:3836
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:4068
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2256
- - C:\Windows\windowns\update.exe
    "C:\Windows\windowns\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4048
  - - C:\Windows\windowns\update.exe
      "C:\Windows\windowns\update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      PID:1152
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        Adds Run key to start application
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WNFeG\WNFeG.dat

Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WNFeG\WNFeG.nfo

Filesize
3KB

MD5
31d2075332db5d5f9ebe156f93caed0e

SHA1
873cfb9e41b99e3cb7775db43298fd96d54f5ecd

SHA256
85258f85ae11e4f95406d4ddea7b38fcced502464ed6b767f5fd929a025cb6b9

SHA512
ebb63f6fd7f22314912c1d4780166dbf4b54ea3290991fd94d144003ae503c4bb403cc3772425108397bae83af35a52ae867376c64a5cb1778bb3c8df8169b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WNFeG\WNFeG.nfo

Filesize
3KB

MD5
31d2075332db5d5f9ebe156f93caed0e

SHA1
873cfb9e41b99e3cb7775db43298fd96d54f5ecd

SHA256
85258f85ae11e4f95406d4ddea7b38fcced502464ed6b767f5fd929a025cb6b9

SHA512
ebb63f6fd7f22314912c1d4780166dbf4b54ea3290991fd94d144003ae503c4bb403cc3772425108397bae83af35a52ae867376c64a5cb1778bb3c8df8169b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WNFeG\WNFeG.nfo

Filesize
3KB

MD5
31d2075332db5d5f9ebe156f93caed0e

SHA1
873cfb9e41b99e3cb7775db43298fd96d54f5ecd

SHA256
85258f85ae11e4f95406d4ddea7b38fcced502464ed6b767f5fd929a025cb6b9

SHA512
ebb63f6fd7f22314912c1d4780166dbf4b54ea3290991fd94d144003ae503c4bb403cc3772425108397bae83af35a52ae867376c64a5cb1778bb3c8df8169b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WNFeG\WNFeG.svr

Filesize
356KB

MD5
94834b0ae75d00432822410472983fce

SHA1
748a8da6d359a4d213b6472265723fb48d293d78

SHA256
f5c939f0b02f65ba36821fd14ae2a5510ca3b5712236e6b28f78fe42cdeb6f44

SHA512
5399d226b6fa8c06889a671dba7e7b342937044f2714c183f731bc04dd0d2a880e77552ec3146b7ba72c079debc9508ceb2c565d6339f96f08c14dc0a3a0d074

Download Submit
C:\Windows\windowns\update.exe

Filesize
463KB

MD5
069a5e2553ead6f554b1199b85352890

SHA1
716e7dc313dc492083cb00b5765798da72a93016

SHA256
ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

SHA512
7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c

Download Submit
C:\Windows\windowns\update.exe

Filesize
463KB

MD5
069a5e2553ead6f554b1199b85352890

SHA1
716e7dc313dc492083cb00b5765798da72a93016

SHA256
ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

SHA512
7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c

Download Submit
C:\Windows\windowns\update.exe

Filesize
463KB

MD5
069a5e2553ead6f554b1199b85352890

SHA1
716e7dc313dc492083cb00b5765798da72a93016

SHA256
ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

SHA512
7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c

Download Submit
C:\Windows\windowns\update.exe

Filesize
463KB

MD5
069a5e2553ead6f554b1199b85352890

SHA1
716e7dc313dc492083cb00b5765798da72a93016

SHA256
ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

SHA512
7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c

Download Submit
C:\Windows\windowns\update.exe

Filesize
463KB

MD5
069a5e2553ead6f554b1199b85352890

SHA1
716e7dc313dc492083cb00b5765798da72a93016

SHA256
ab14ca54bcaf472af45462f5a826fce4aa3226529b48794fc52e3148677ab898

SHA512
7fd7e5f03e22788a679bb755147a2ac26e726d0cc60580ff3e6244bd2ef1fa565dd047b641adbefda1f022f1d837f407b8ffad1309ed85ffeb866ec0b354e84c

Download Submit
memory/208-165-0x00000000022C0000-0x000000000233B000-memory.dmp

Filesize
492KB

Download
memory/1152-173-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1152-154-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3184-132-0x0000000000B20000-0x0000000000B9B000-memory.dmp

Filesize
492KB

Download
memory/3184-136-0x0000000000B20000-0x0000000000B9B000-memory.dmp

Filesize
492KB

Download
memory/3736-169-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-171-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-180-0x00000000016C5000-0x000000000171D000-memory.dmp

Filesize
352KB

Download
memory/3736-177-0x00000000016C5000-0x000000000171D000-memory.dmp

Filesize
352KB

Download
memory/3736-178-0x0000000001611000-0x00000000016C5000-memory.dmp

Filesize
720KB

Download
memory/3736-158-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-167-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-161-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-172-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3736-159-0x0000000001610000-0x000000000171F000-memory.dmp

Filesize
1.1MB

Download
memory/3880-179-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3880-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4048-152-0x0000000002160000-0x00000000021DB000-memory.dmp

Filesize
492KB

Download
memory/4816-141-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-138-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-137-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-142-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-147-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download