b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb

Analysis

max time kernel
33s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
Size

320KB
MD5

4a3e19c7988b5010095c04aa3bdef6a0
SHA1

eeed24f4c34736b3c11acb981079e7be7f7c890e
SHA256

b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb
SHA512

ce00821453469129d74cc56c2ecc0301a17744b80bff4b4a818b28705874313f52977871e40a4be7476d953d59b4fcdb8ae4f5dd421bee5bb8bc286338bfcbf7
SSDEEP

6144:VwUx1ezrkB3lOcjuFJ8vDpUu3PhIbwpMVsTjo:ua7BVWeDqCIm+Go

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2032	WinS24System.exe
1092	WinS24System.exe
592	WinS24System.exe
1428	WinS24System.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1996-65-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1996-67-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1996-69-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1996-70-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1996-75-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1204-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1996-77-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1204-78-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1204-80-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1204-84-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1204-85-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1996-88-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1996-89-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1204-90-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1092-114-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1092-116-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1092-123-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1092-117-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1428-135-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1428-139-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1428-141-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1204-145-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1428-144-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1428-147-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1428-148-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1428-149-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1092-150-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/592-151-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1092-153-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1428-154-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/592-155-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\S24\\WinS24System.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 set thread context of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 2032 set thread context of 1092	2032	WinS24System.exe	33
PID 2032 set thread context of 592	2032	WinS24System.exe	34
PID 2032 set thread context of 1428	2032	WinS24System.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe
Token: SeDebugPrivilege	592	WinS24System.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1996	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
2032	WinS24System.exe
1092	WinS24System.exe
592	WinS24System.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1996	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	27
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 692 wrote to memory of 1204	692	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	28
PID 1204 wrote to memory of 1160	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	29
PID 1204 wrote to memory of 1160	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	29
PID 1204 wrote to memory of 1160	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	29
PID 1204 wrote to memory of 1160	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	29
PID 1160 wrote to memory of 272	1160	cmd.exe	31
PID 1160 wrote to memory of 272	1160	cmd.exe	31
PID 1160 wrote to memory of 272	1160	cmd.exe	31
PID 1160 wrote to memory of 272	1160	cmd.exe	31
PID 1204 wrote to memory of 2032	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	32
PID 1204 wrote to memory of 2032	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	32
PID 1204 wrote to memory of 2032	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	32
PID 1204 wrote to memory of 2032	1204	b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe	32
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 1092	2032	WinS24System.exe	33
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 592	2032	WinS24System.exe	34
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35
PID 2032 wrote to memory of 1428	2032	WinS24System.exe	35

C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
"C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
  "C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe
  "C:\Users\Admin\AppData\Local\Temp\b326aee2d7608293f6b8abe9ca45018b0416d9ea71f062eb88f65115398a59bb.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UGEID.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Windows" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe" /f
      4⤵
      Adds Run key to start application
      PID:272
- - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
    "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
      "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1092
  - - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
      "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:592
  - - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
      "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
      4⤵
      Executes dropped EXE
      PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UGEID.bat

Filesize
155B

MD5
b4ad053d480806ac40ad05f6b1b10599

SHA1
66f02da38b7a04a780cad0aa20ba99df52054411

SHA256
5f73fb4a4791aa86270a1ce25e74bb4c3797ddeb3489d1e3bc8bab82d9c48af9

SHA512
d92eafac9c2786eff26e439cddcd24d1291118ad6679ad71d032099ff34a816ce635d05aa0c9528434e1c60d632d481bb672fb34d28ccc2c7e0ddd13a5177451

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
6db7fa8df019d8b1c0e7025a17fdfd07

SHA1
6239cdf2c75bd1442390103201f7a90195271456

SHA256
d5db3ec923399b61dbb2734e40142d108c20f33c44ffba09635dc1fb32f2d1e5

SHA512
a5ccb48cded6b496e44edb5aaf28e63b515c8c48408b6ccb513a56337dbad0ba26f4b91e0a286315f622a56fc4f5797401459fbaee6583880bf66800bac9c658

Download Submit
memory/592-155-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/592-151-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/692-62-0x0000000000550000-0x0000000000584000-memory.dmp

Filesize
208KB

Download
memory/692-60-0x000000000054C000-0x0000000000550000-memory.dmp

Filesize
16KB

Download
memory/692-58-0x000000000054C000-0x0000000000550000-memory.dmp

Filesize
16KB

Download
memory/692-56-0x000000000054D000-0x0000000000552000-memory.dmp

Filesize
20KB

Download
memory/692-61-0x000000000054C000-0x0000000000550000-memory.dmp

Filesize
16KB

Download
memory/692-59-0x000000000054C000-0x0000000000550000-memory.dmp

Filesize
16KB

Download
memory/1092-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-123-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-153-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-114-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-117-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1092-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1204-145-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-91-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1204-90-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-85-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-80-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-78-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1428-141-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-154-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-148-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-147-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-144-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1428-135-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1996-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-70-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-88-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-109-0x0000000000663000-0x0000000000686000-memory.dmp

Filesize
140KB

Download
memory/2032-107-0x0000000000663000-0x0000000000686000-memory.dmp

Filesize
140KB

Download
memory/2032-106-0x0000000000663000-0x0000000000686000-memory.dmp

Filesize
140KB

Download
memory/2032-104-0x000000000065C000-0x0000000000661000-memory.dmp

Filesize
20KB

Download
memory/2032-108-0x0000000000663000-0x0000000000686000-memory.dmp

Filesize
140KB

Download