358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
Size

384KB
MD5

6aa10c7a5d6aecb4dfd09647f553dc62
SHA1

798215e3f05eb7dda8dd0ec813681c176a0a9265
SHA256

358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07
SHA512

e212180568baeceda2181f506705a65f255736956cc26e1d80c224e7788b9cc1540943adbb2608ccfd99d7432e7d1d6a53c8dd81d26e949177caeb9b6c7641b9
SSDEEP

6144:4JGK2pYLlY4c6ue7lfhTuJZrM4l8KONb6/SPcGHciKjyISzTOILNhWOmzTTKWiYy:EGK2pYLlY4c6ue7lfhTuJZrM4l8KONbq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yY6uXQd3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ygheoj.exe

Executes dropped EXE 6 IoCs

pid	Process
2608	yY6uXQd3.exe
3800	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
5112	3cmd.exe
644	4cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3772-145-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3772-148-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3772-149-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3772-161-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	yY6uXQd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /u"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /p"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /s"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /M"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /g"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /f"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /O"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /K"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /l"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /N"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /r"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /D"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /x"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /G"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /b"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /R"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /Q"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /e"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /Y"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /T"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /J"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /F"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /I"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /U"	ygheoj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /t"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /S"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /y"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /m"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /X"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /n"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /z"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /L"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /a"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /V"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /h"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /o"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /C"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /H"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /j"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /w"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /E"	ygheoj.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /A"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /B"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /U"	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /c"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /d"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /P"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /W"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /i"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /q"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /Z"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /v"	ygheoj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygheoj = "C:\\Users\\Admin\\ygheoj.exe /k"	ygheoj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3800 set thread context of 3772	3800	2cmd.exe	88
PID 5112 set thread context of 3524	5112	3cmd.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4584	tasklist.exe
2972	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	yY6uXQd3.exe
2608	yY6uXQd3.exe
3772	2cmd.exe
3772	2cmd.exe
2608	yY6uXQd3.exe
2608	yY6uXQd3.exe
5112	3cmd.exe
5112	3cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3772	2cmd.exe
3756	ygheoj.exe
3756	ygheoj.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	tasklist.exe
Token: SeDebugPrivilege	5112	3cmd.exe
Token: SeDebugPrivilege	5112	3cmd.exe
Token: SeDebugPrivilege	2972	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
2608	yY6uXQd3.exe
3800	2cmd.exe
3756	ygheoj.exe
644	4cmd.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2608	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	86
PID 5040 wrote to memory of 2608	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	86
PID 5040 wrote to memory of 2608	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	86
PID 5040 wrote to memory of 3800	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	87
PID 5040 wrote to memory of 3800	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	87
PID 5040 wrote to memory of 3800	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	87
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 3800 wrote to memory of 3772	3800	2cmd.exe	88
PID 2608 wrote to memory of 3756	2608	yY6uXQd3.exe	89
PID 2608 wrote to memory of 3756	2608	yY6uXQd3.exe	89
PID 2608 wrote to memory of 3756	2608	yY6uXQd3.exe	89
PID 2608 wrote to memory of 4848	2608	yY6uXQd3.exe	90
PID 2608 wrote to memory of 4848	2608	yY6uXQd3.exe	90
PID 2608 wrote to memory of 4848	2608	yY6uXQd3.exe	90
PID 4848 wrote to memory of 4584	4848	cmd.exe	92
PID 4848 wrote to memory of 4584	4848	cmd.exe	92
PID 4848 wrote to memory of 4584	4848	cmd.exe	92
PID 5040 wrote to memory of 5112	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	93
PID 5040 wrote to memory of 5112	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	93
PID 5040 wrote to memory of 5112	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	93
PID 5112 wrote to memory of 3524	5112	3cmd.exe	94
PID 5112 wrote to memory of 3524	5112	3cmd.exe	94
PID 5112 wrote to memory of 3524	5112	3cmd.exe	94
PID 5112 wrote to memory of 3524	5112	3cmd.exe	94
PID 5040 wrote to memory of 644	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	96
PID 5040 wrote to memory of 644	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	96
PID 5040 wrote to memory of 644	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	96
PID 5040 wrote to memory of 5108	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	109
PID 5040 wrote to memory of 5108	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	109
PID 5040 wrote to memory of 5108	5040	358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe	109
PID 5108 wrote to memory of 2972	5108	cmd.exe	111
PID 5108 wrote to memory of 2972	5108	cmd.exe	111
PID 5108 wrote to memory of 2972	5108	cmd.exe	111
PID 3756 wrote to memory of 2972	3756	ygheoj.exe	111
PID 3756 wrote to memory of 2972	3756	ygheoj.exe	111

C:\Users\Admin\AppData\Local\Temp\358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
"C:\Users\Admin\AppData\Local\Temp\358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\yY6uXQd3.exe
  C:\Users\Admin\yY6uXQd3.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\ygheoj.exe
    "C:\Users\Admin\ygheoj.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del yY6uXQd3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4584
- C:\Users\Admin\2cmd.exe
  C:\Users\Admin\2cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Users\Admin\2cmd.exe
    "C:\Users\Admin\2cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3772
- C:\Users\Admin\3cmd.exe
  C:\Users\Admin\3cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3524
- C:\Users\Admin\4cmd.exe
  C:\Users\Admin\4cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 358cde8d93948908b90963691a673e91e870ba68fbf52d461b97c36b1816be07.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
C:\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
C:\Users\Admin\ygheoj.exe

Filesize
264KB

MD5
6d0c0eb8318fbb588ef5778206342a80

SHA1
648bc9b88a3e5c2823bf141d20d2981704bccca7

SHA256
7ea9c150d4c4f76e6f67987a8e08aff13fbc0ad14207d72c64a666ca1c286f9e

SHA512
8b4016c66ae0493e646a94dc652d218d5d5ad18f4d51cb1e27614d1a7d875f99c51ad7cb0adf4ab4150bd75150a57ee99d5c6087476ca6cafd4e68a0a277310b

Download Submit
C:\Users\Admin\ygheoj.exe

Filesize
264KB

MD5
6d0c0eb8318fbb588ef5778206342a80

SHA1
648bc9b88a3e5c2823bf141d20d2981704bccca7

SHA256
7ea9c150d4c4f76e6f67987a8e08aff13fbc0ad14207d72c64a666ca1c286f9e

SHA512
8b4016c66ae0493e646a94dc652d218d5d5ad18f4d51cb1e27614d1a7d875f99c51ad7cb0adf4ab4150bd75150a57ee99d5c6087476ca6cafd4e68a0a277310b

Download Submit
memory/3772-149-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3772-148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3772-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3772-161-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5112-165-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/5112-163-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/5112-162-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/5112-160-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download