c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5

Analysis

max time kernel
175s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 21:36 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
Size

133KB
MD5

63feca6b2fc793013b873addaef4f610
SHA1

0f2a5bf9caf207fa118b1550dac2920a5bd9f288
SHA256

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5
SHA512

ec85d8d9f69f8fa1dbc59808647b61d98494ae66997abf819a60b9f936f73d7a5d01466d89ec84c0b6fc5591c4708bca6d41cd2c08b186df04ce19defb8d9212
SSDEEP

3072:pYBjzosGnQpOe237XE35XeE79enCiM5cEwDjAS+umjiJbqrWTI:NsGQwb37XE3ZeykGnqES+vuJSmI

Score

10^/10

evasion persistence vmprotect

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe:*:enabled:@shell32.dll,-1"	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/824-133-0x0000000000400000-0x000000000043E000-memory.dmp	vmprotect
behavioral2/files/0x000f000000022e22-134.dat	vmprotect
behavioral2/files/0x000f000000022e22-135.dat	vmprotect
behavioral2/memory/4920-136-0x0000000000400000-0x000000000043E000-memory.dmp	vmprotect
behavioral2/files/0x000f000000022e22-137.dat	vmprotect
behavioral2/files/0x000f000000022e22-138.dat	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Loads dropped DLL 3 IoCs

pid	Process
4920	svchost.exe
4920	svchost.exe
4920	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IPv6NetBrowsSvc.dll	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
476	4920	WerFault.exe	81
1492	824	WerFault.exe	17
3252	4920	WerFault.exe	81
4028	4920	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 624	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	3
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 684	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	1
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 788	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	8
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 796	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	80
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 804	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	79
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 908	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	78
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 968	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	77
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 396	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	76
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 708	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	75
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 964	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	74
PID 824 wrote to memory of 408	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	73
PID 824 wrote to memory of 408	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	73
PID 824 wrote to memory of 408	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	73
PID 824 wrote to memory of 408	824	c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe	73

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1708

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2184

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2740

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe
"C:\Users\Admin\AppData\Local\Temp\c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe"
1⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1772
  2⤵
  - Program crash
  PID:1492

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3280

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3476

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2608

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:4920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 316
  2⤵
  - Program crash
  PID:476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 356
  2⤵
  - Program crash
  PID:3252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 368
  2⤵
  - Program crash
  PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4920 -ip 4920
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 824 -ip 824
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4920 -ip 4920
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4920 -ip 4920
1⤵
PID:2756

Network

DNS

ilo.brenz.pl

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

Remote address:

8.8.8.8:53

Request

ilo.brenz.pl

IN A

Response

ilo.brenz.pl

IN A

148.81.111.121
DNS

164.2.77.40.in-addr.arpa

Dnscache

Remote address:

8.8.8.8:53

Request

164.2.77.40.in-addr.arpa

IN PTR

Response

8.238.21.126:80

322 B
7
20.42.65.90:443

OfficeClickToRun.exe

322 B
7
93.184.221.240:80

CryptSvc

322 B
7
93.184.221.240:80

CryptSvc

322 B
7
93.184.221.240:80

CryptSvc

322 B
7
148.81.111.121:80

ilo.brenz.pl

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

260 B
200 B
5
5
148.81.111.121:80

ilo.brenz.pl

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

52 B
40 B
1
1

8.8.8.8:53

ilo.brenz.pl

dns

c73fa4b97c4188faf98eba38fdeea572c7a939719ff61258a3056b56f9f31df5.exe

58 B
74 B
1
1

DNS Request

ilo.brenz.pl

DNS Response

148.81.111.121
8.8.8.8:53

164.2.77.40.in-addr.arpa

dns

Dnscache

70 B
144 B
1
1

DNS Request

164.2.77.40.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IPv6NetBrowsSvc.dll

Filesize
133KB

MD5
15b7e5087c96d838405a252ed27ed468

SHA1
fd2923e737b8ca4a9d4f49e79d7d466d5651184a

SHA256
56a619e9eb5bcd441c67e527bcd5d21a381aad27dcd8c08d8b73773682068a1b

SHA512
bf5f11600d1cce7338b77b216cdc1a2d2f4ad2bdcb243e27566844e592e41901c4494099d1cb6aeb3c60c59963b42e57b20b229ba02c9c728da903ce9ccad5c9

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll

Filesize
133KB

MD5
15b7e5087c96d838405a252ed27ed468

SHA1
fd2923e737b8ca4a9d4f49e79d7d466d5651184a

SHA256
56a619e9eb5bcd441c67e527bcd5d21a381aad27dcd8c08d8b73773682068a1b

SHA512
bf5f11600d1cce7338b77b216cdc1a2d2f4ad2bdcb243e27566844e592e41901c4494099d1cb6aeb3c60c59963b42e57b20b229ba02c9c728da903ce9ccad5c9

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll

Filesize
133KB

MD5
15b7e5087c96d838405a252ed27ed468

SHA1
fd2923e737b8ca4a9d4f49e79d7d466d5651184a

SHA256
56a619e9eb5bcd441c67e527bcd5d21a381aad27dcd8c08d8b73773682068a1b

SHA512
bf5f11600d1cce7338b77b216cdc1a2d2f4ad2bdcb243e27566844e592e41901c4494099d1cb6aeb3c60c59963b42e57b20b229ba02c9c728da903ce9ccad5c9

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll

Filesize
133KB

MD5
15b7e5087c96d838405a252ed27ed468

SHA1
fd2923e737b8ca4a9d4f49e79d7d466d5651184a

SHA256
56a619e9eb5bcd441c67e527bcd5d21a381aad27dcd8c08d8b73773682068a1b

SHA512
bf5f11600d1cce7338b77b216cdc1a2d2f4ad2bdcb243e27566844e592e41901c4494099d1cb6aeb3c60c59963b42e57b20b229ba02c9c728da903ce9ccad5c9

Download Submit
memory/824-132-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/824-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4920-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.