2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
Size

167KB
MD5

7ccbe2edd64abadea2521915a6a2c133
SHA1

c1358c0c571586dbbf9e46309f4afdc94968e0be
SHA256

2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5
SHA512

22d3b8b0f4849a5d54ea6002e90baf971cd1477050f9fdcfcbaf55c7e04afc24b59668567b29a125d250a551a3348ef850ae1267592e9694d46d7a16b6d9d32a
SSDEEP

3072:aE/7tkX8PuEwxavvSxstG1kNE6BJdK5YWIIZ34w7oyN:aY7t2LaCxsoA9d5WjCwf

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1560	mscorsvw.exe
276	mscorsvw.exe
1552	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	OSE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\N:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\O:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\R:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\F:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\H:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\K:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\Q:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\T:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\V:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\X:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\Z:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\I:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\L:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\S:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\U:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\P:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\G:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\J:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\M:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\W:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\E:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\F:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\Y:	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\msiexec.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\dllhost.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	OSE.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0BD56417-1912-4BFD-80A9-C377AB3B0F48}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{0BD56417-1912-4BFD-80A9-C377AB3B0F48}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE
1552	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1308	2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
Token: SeRestorePrivilege	1524	msiexec.exe
Token: SeTakeOwnershipPrivilege	1524	msiexec.exe
Token: SeSecurityPrivilege	1524	msiexec.exe
Token: SeTakeOwnershipPrivilege	1552	OSE.EXE
Token: SeManageVolumePrivilege	1912	SearchIndexer.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe
1632	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1632	1912	SearchIndexer.exe	33
PID 1912 wrote to memory of 1632	1912	SearchIndexer.exe	33
PID 1912 wrote to memory of 1632	1912	SearchIndexer.exe	33
PID 1912 wrote to memory of 1752	1912	SearchIndexer.exe	34
PID 1912 wrote to memory of 1752	1912	SearchIndexer.exe	34
PID 1912 wrote to memory of 1752	1912	SearchIndexer.exe	34

C:\Users\Admin\AppData\Local\Temp\2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe
"C:\Users\Admin\AppData\Local\Temp\2c6c444ce3fab26b4ae60ad79a7ba39bf15f439d808add434aed3a5addb960b5.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:276

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
2a8c52f00552f3cc555e838dfa8c8ea4

SHA1
715555bf85b62426097be2b4b2ceaf916202cfe1

SHA256
21c9989a809a23237621b9554516fbebdfc7401e6f194380d990069c8ca83dd4

SHA512
3ebdbf2b953ed5957c9c0e11a3f7f0d4ab0bca276f1bd8800bff92965e82d2ff78fcf13837aa13e952dd109feb8c9d16d00f66839b1ce32ec58752cd04fcd5e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
8c2db94ad2421fbf6f828a21b91fc957

SHA1
de08872633eef98346f9bf91de5d79234f3f00ab

SHA256
8b46af2045d7614cc28452d2157e9aa03c620f3186c6275e9e21ce603e1c4ef2

SHA512
391ac500aa3bf152d7080081f64d373c0e5b9942311ce8474cc59cfe8d557333de53c88d7c6f42962679e3066d7a50ef36b31f80a3a7f32bb03b4f9a0472e3ce

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
8c2db94ad2421fbf6f828a21b91fc957

SHA1
de08872633eef98346f9bf91de5d79234f3f00ab

SHA256
8b46af2045d7614cc28452d2157e9aa03c620f3186c6275e9e21ce603e1c4ef2

SHA512
391ac500aa3bf152d7080081f64d373c0e5b9942311ce8474cc59cfe8d557333de53c88d7c6f42962679e3066d7a50ef36b31f80a3a7f32bb03b4f9a0472e3ce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
472479d2545c62ab54f58b4c4f3aee59

SHA1
82149f0ab01652358750eda515d1178059c897e6

SHA256
e75630a54a29e66a89895b13f782247fabe791dd71d3f775f138506f023025ae

SHA512
3102161df431b9550fd52b1ab39845d8b98e910d14d17cc884583f50805c751a4d88f8cd765b4dfbce92a0fe260d33e3d9b4bab94a629a1a8ff197b3a66aae82

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
79bc745f0821cedd3e8a52109259a540

SHA1
9373cade58c8cc0262c9844bc8cab7322677f177

SHA256
181123ee138aec77559a7b7736ba0454b6e6e0644266f4719601283b86207c61

SHA512
d2e0921c03f66114a52d7b468ddd1c30fd1f91e8dbc91aed87dccf9dcdf47f6b1cd67513eb3725e8c83419b784c9132d6d42c825d068c537da3e49d3b3e21a33

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
503ea02cda1ae4e7648eb02bdc58fa00

SHA1
4352f4daf7eb872860341145a9c2e1c85ba7deaa

SHA256
dbc79a61a7bb9903c1362856b086e16ea9ebc410fee3e8d18a69f76a71dad45b

SHA512
84070894c4922dd7833b8066a7c58ce647673bd541d7bf785f14c520df97b20d2f7018e06cad5d5d7af1a2c178349a2de51df5507834df101b453f657e541728

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
504905028482d800c7374929345cb4e3

SHA1
d9cfa9d299445fee1c315ba9ac0722ba7a3da1ec

SHA256
4e7a54db5cc4d3291ab43ea2292e305be48acf16aae7a72918d4c78838c1e794

SHA512
a464421eafdc9ac4c3a253d4c0b2e3ddd7542c6636432697543a19437cbf4c7084bf47f778a83c0fd7c18d0c4aae1a3a33d3abe678fc6d8ce4bf376992fbb886

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
472479d2545c62ab54f58b4c4f3aee59

SHA1
82149f0ab01652358750eda515d1178059c897e6

SHA256
e75630a54a29e66a89895b13f782247fabe791dd71d3f775f138506f023025ae

SHA512
3102161df431b9550fd52b1ab39845d8b98e910d14d17cc884583f50805c751a4d88f8cd765b4dfbce92a0fe260d33e3d9b4bab94a629a1a8ff197b3a66aae82

Download Submit
memory/276-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1308-61-0x0000000001000000-0x0000000001068000-memory.dmp

Filesize
416KB

Download
memory/1308-54-0x0000000001000000-0x0000000001068000-memory.dmp

Filesize
416KB

Download
memory/1308-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1524-62-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/1552-64-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1552-65-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1552-108-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1560-58-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/1912-104-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/1912-103-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/1912-99-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/1912-83-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/1912-67-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download