ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9

Analysis

max time kernel
171s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 13:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
Size

20KB
MD5

a115788d9ac16c5e42c5d574c4296600
SHA1

1d294b44bb82e37c1492e46f000396e71465789f
SHA256

ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9
SHA512

92d7f18b3a9922818198bc16b72ec478caa64b72e5871c07b3f8df4565aba706e4b7e11311517be23b898f5ec7f70c05a8b31618b9e732e5956a577826af6cb9
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5hQLnBYmrd:g5BOFKksO1mE9B77777J77c77c77c71Y

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\37403FD.exe\""	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\37403FD.exe\""	37403FD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\37403FD.exe\""	37403FDRVURUX.exe

Executes dropped EXE 5 IoCs

pid	Process
3456	37403FD.exe
1344	37403FDRVURUX.exe
1864	37403FDRVURUX.exe
5152	37403FD.exe
5204	37403FD.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-134-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-150.dat	upx
behavioral2/files/0x0002000000021b43-151.dat	upx
behavioral2/memory/3456-163-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000a000000022df3-171.dat	upx
behavioral2/files/0x000a000000022df3-170.dat	upx
behavioral2/memory/1344-184-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000a000000022df3-190.dat	upx
behavioral2/memory/1864-195-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-194.dat	upx
behavioral2/memory/5152-199-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-200.dat	upx
behavioral2/memory/5204-203-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4828-204-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3456-205-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1344-206-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	37403FDRVURUX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\37403FD.exe = "C:\\Windows\\37403FD.exe"	37403FDRVURUX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\37403FD.exe = "C:\\Windows\\37403FD.exe"	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	37403FD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\37403FD.exe = "C:\\Windows\\37403FD.exe"	37403FD.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\37403FD.exe	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
File opened for modification	C:\Windows\37403FDRVURUX.exe	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
4744	TASKKILL.exe
3948	TASKKILL.exe
3952	TASKKILL.exe
624	TASKKILL.exe
4116	TASKKILL.exe
4792	TASKKILL.exe
4976	TASKKILL.exe
2024	TASKKILL.exe
1640	TASKKILL.exe
3916	TASKKILL.exe
3108	TASKKILL.exe
4688	TASKKILL.exe
1708	TASKKILL.exe
4944	TASKKILL.exe
872	TASKKILL.exe
4968	TASKKILL.exe
4936	TASKKILL.exe
1608	TASKKILL.exe
1852	TASKKILL.exe
4680	TASKKILL.exe
4352	TASKKILL.exe
4476	TASKKILL.exe
4032	TASKKILL.exe
2092	TASKKILL.exe
3564	TASKKILL.exe
3376	TASKKILL.exe
1144	TASKKILL.exe
4260	TASKKILL.exe
4416	TASKKILL.exe
1516	TASKKILL.exe
4108	TASKKILL.exe
1260	TASKKILL.exe
4780	TASKKILL.exe
4712	TASKKILL.exe
724	TASKKILL.exe
1780	TASKKILL.exe
4548	TASKKILL.exe
2572	TASKKILL.exe
4112	TASKKILL.exe
3032	TASKKILL.exe
3200	TASKKILL.exe
3864	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	TASKKILL.exe
Token: SeDebugPrivilege	1608	TASKKILL.exe
Token: SeDebugPrivilege	1852	TASKKILL.exe
Token: SeDebugPrivilege	4780	TASKKILL.exe
Token: SeDebugPrivilege	3032	TASKKILL.exe
Token: SeDebugPrivilege	3200	TASKKILL.exe
Token: SeDebugPrivilege	4680	TASKKILL.exe
Token: SeDebugPrivilege	4112	TASKKILL.exe
Token: SeDebugPrivilege	4688	TASKKILL.exe
Token: SeDebugPrivilege	4936	TASKKILL.exe
Token: SeDebugPrivilege	4976	TASKKILL.exe
Token: SeDebugPrivilege	2024	TASKKILL.exe
Token: SeDebugPrivilege	4792	TASKKILL.exe
Token: SeDebugPrivilege	1708	TASKKILL.exe
Token: SeDebugPrivilege	1144	TASKKILL.exe
Token: SeDebugPrivilege	724	TASKKILL.exe
Token: SeDebugPrivilege	4712	TASKKILL.exe
Token: SeDebugPrivilege	4744	TASKKILL.exe
Token: SeDebugPrivilege	4032	TASKKILL.exe
Token: SeDebugPrivilege	4416	TASKKILL.exe
Token: SeDebugPrivilege	1780	TASKKILL.exe
Token: SeDebugPrivilege	4944	TASKKILL.exe
Token: SeDebugPrivilege	3916	TASKKILL.exe
Token: SeDebugPrivilege	1640	TASKKILL.exe
Token: SeDebugPrivilege	3108	TASKKILL.exe
Token: SeDebugPrivilege	3948	TASKKILL.exe
Token: SeDebugPrivilege	4352	TASKKILL.exe
Token: SeDebugPrivilege	4548	TASKKILL.exe
Token: SeDebugPrivilege	2092	TASKKILL.exe
Token: SeDebugPrivilege	3864	TASKKILL.exe
Token: SeDebugPrivilege	2572	TASKKILL.exe
Token: SeDebugPrivilege	3564	TASKKILL.exe
Token: SeDebugPrivilege	872	TASKKILL.exe
Token: SeDebugPrivilege	1260	TASKKILL.exe
Token: SeDebugPrivilege	1516	TASKKILL.exe
Token: SeDebugPrivilege	3952	TASKKILL.exe
Token: SeDebugPrivilege	3376	TASKKILL.exe
Token: SeDebugPrivilege	4116	TASKKILL.exe
Token: SeDebugPrivilege	4968	TASKKILL.exe
Token: SeDebugPrivilege	4476	TASKKILL.exe
Token: SeDebugPrivilege	4108	TASKKILL.exe
Token: SeDebugPrivilege	624	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
3456	37403FD.exe
1344	37403FDRVURUX.exe
1864	37403FDRVURUX.exe
5152	37403FD.exe
5204	37403FD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 1144	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	81
PID 4828 wrote to memory of 1144	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	81
PID 4828 wrote to memory of 1144	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	81
PID 4828 wrote to memory of 4260	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	82
PID 4828 wrote to memory of 4260	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	82
PID 4828 wrote to memory of 4260	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	82
PID 4828 wrote to memory of 4744	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	83
PID 4828 wrote to memory of 4744	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	83
PID 4828 wrote to memory of 4744	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	83
PID 4828 wrote to memory of 4780	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	84
PID 4828 wrote to memory of 4780	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	84
PID 4828 wrote to memory of 4780	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	84
PID 4828 wrote to memory of 4792	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	85
PID 4828 wrote to memory of 4792	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	85
PID 4828 wrote to memory of 4792	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	85
PID 4828 wrote to memory of 4712	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	86
PID 4828 wrote to memory of 4712	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	86
PID 4828 wrote to memory of 4712	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	86
PID 4828 wrote to memory of 4976	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	87
PID 4828 wrote to memory of 4976	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	87
PID 4828 wrote to memory of 4976	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	87
PID 4828 wrote to memory of 4936	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	88
PID 4828 wrote to memory of 4936	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	88
PID 4828 wrote to memory of 4936	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	88
PID 4828 wrote to memory of 1608	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	89
PID 4828 wrote to memory of 1608	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	89
PID 4828 wrote to memory of 1608	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	89
PID 4828 wrote to memory of 4688	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	90
PID 4828 wrote to memory of 4688	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	90
PID 4828 wrote to memory of 4688	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	90
PID 4828 wrote to memory of 2024	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	91
PID 4828 wrote to memory of 2024	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	91
PID 4828 wrote to memory of 2024	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	91
PID 4828 wrote to memory of 4112	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	92
PID 4828 wrote to memory of 4112	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	92
PID 4828 wrote to memory of 4112	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	92
PID 4828 wrote to memory of 1708	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	93
PID 4828 wrote to memory of 1708	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	93
PID 4828 wrote to memory of 1708	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	93
PID 4828 wrote to memory of 1852	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	94
PID 4828 wrote to memory of 1852	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	94
PID 4828 wrote to memory of 1852	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	94
PID 4828 wrote to memory of 3456	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	109
PID 4828 wrote to memory of 3456	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	109
PID 4828 wrote to memory of 3456	4828	ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe	109
PID 3456 wrote to memory of 4680	3456	37403FD.exe	110
PID 3456 wrote to memory of 4680	3456	37403FD.exe	110
PID 3456 wrote to memory of 4680	3456	37403FD.exe	110
PID 3456 wrote to memory of 3032	3456	37403FD.exe	112
PID 3456 wrote to memory of 3032	3456	37403FD.exe	112
PID 3456 wrote to memory of 3032	3456	37403FD.exe	112
PID 3456 wrote to memory of 3200	3456	37403FD.exe	113
PID 3456 wrote to memory of 3200	3456	37403FD.exe	113
PID 3456 wrote to memory of 3200	3456	37403FD.exe	113
PID 3456 wrote to memory of 724	3456	37403FD.exe	114
PID 3456 wrote to memory of 724	3456	37403FD.exe	114
PID 3456 wrote to memory of 724	3456	37403FD.exe	114
PID 3456 wrote to memory of 4944	3456	37403FD.exe	116
PID 3456 wrote to memory of 4944	3456	37403FD.exe	116
PID 3456 wrote to memory of 4944	3456	37403FD.exe	116
PID 3456 wrote to memory of 4032	3456	37403FD.exe	117
PID 3456 wrote to memory of 4032	3456	37403FD.exe	117
PID 3456 wrote to memory of 4032	3456	37403FD.exe	117
PID 3456 wrote to memory of 4416	3456	37403FD.exe	118

C:\Users\Admin\AppData\Local\Temp\ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe
"C:\Users\Admin\AppData\Local\Temp\ccee6b8775be87a94b3ab61640ec8223068375675217f4d03529073af2ac8cd9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\37403FD.exe
  C:\Windows\37403FD.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\37403FDRVURUX.exe
    C:\Windows\37403FDRVURUX.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1344
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2092
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:872
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3864
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4116
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\37403FDRVURUX.exe
      C:\Windows\37403FDRVURUX.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1864
  - - C:\Windows\37403FD.exe
      C:\Windows\37403FD.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5152
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\37403FD.exe
    C:\Windows\37403FD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\37403FD.exe

Filesize
18KB

MD5
2e8d0b63ea1f592426a73cf97565153b

SHA1
6ff837457f084ec6ff536480ffd6d30ccf2e562b

SHA256
7b9f1b3a19d384650299710864a354f975249d6d0dfbf01cba4f07d59a023482

SHA512
b5d51883ee9bfe2386cd0d4890baa82a9b09865accf6e9ab01d90b4b98de20c256cec913706dc34f6dbdac057a375633e6217f88d8d134ac8a0063810da2bdb4

Download Submit
C:\Windows\37403FD.exe

Filesize
18KB

MD5
2e8d0b63ea1f592426a73cf97565153b

SHA1
6ff837457f084ec6ff536480ffd6d30ccf2e562b

SHA256
7b9f1b3a19d384650299710864a354f975249d6d0dfbf01cba4f07d59a023482

SHA512
b5d51883ee9bfe2386cd0d4890baa82a9b09865accf6e9ab01d90b4b98de20c256cec913706dc34f6dbdac057a375633e6217f88d8d134ac8a0063810da2bdb4

Download Submit
C:\Windows\37403FD.exe

Filesize
18KB

MD5
2e8d0b63ea1f592426a73cf97565153b

SHA1
6ff837457f084ec6ff536480ffd6d30ccf2e562b

SHA256
7b9f1b3a19d384650299710864a354f975249d6d0dfbf01cba4f07d59a023482

SHA512
b5d51883ee9bfe2386cd0d4890baa82a9b09865accf6e9ab01d90b4b98de20c256cec913706dc34f6dbdac057a375633e6217f88d8d134ac8a0063810da2bdb4

Download Submit
C:\Windows\37403FD.exe

Filesize
18KB

MD5
2e8d0b63ea1f592426a73cf97565153b

SHA1
6ff837457f084ec6ff536480ffd6d30ccf2e562b

SHA256
7b9f1b3a19d384650299710864a354f975249d6d0dfbf01cba4f07d59a023482

SHA512
b5d51883ee9bfe2386cd0d4890baa82a9b09865accf6e9ab01d90b4b98de20c256cec913706dc34f6dbdac057a375633e6217f88d8d134ac8a0063810da2bdb4

Download Submit
C:\Windows\37403FDRVURUX.exe

Filesize
19KB

MD5
572c06c62cd77fd24f0a8c42b5966993

SHA1
afdf0299f48b49792b55635a40672fc7f4f28b84

SHA256
e4f06fa771ffd273db7bdc22842078e514c6c484a672c17fe090bf4498e7f09c

SHA512
f7ffef1d469d036d42642e43d25b712f52681ff22e8d01651105daa9f1e4c0143b45412115da3e8bc722ad6cf12096731172bfb8c404aed301c3815c48777d35

Download Submit
C:\Windows\37403FDRVURUX.exe

Filesize
19KB

MD5
572c06c62cd77fd24f0a8c42b5966993

SHA1
afdf0299f48b49792b55635a40672fc7f4f28b84

SHA256
e4f06fa771ffd273db7bdc22842078e514c6c484a672c17fe090bf4498e7f09c

SHA512
f7ffef1d469d036d42642e43d25b712f52681ff22e8d01651105daa9f1e4c0143b45412115da3e8bc722ad6cf12096731172bfb8c404aed301c3815c48777d35

Download Submit
C:\Windows\37403FDRVURUX.exe

Filesize
19KB

MD5
572c06c62cd77fd24f0a8c42b5966993

SHA1
afdf0299f48b49792b55635a40672fc7f4f28b84

SHA256
e4f06fa771ffd273db7bdc22842078e514c6c484a672c17fe090bf4498e7f09c

SHA512
f7ffef1d469d036d42642e43d25b712f52681ff22e8d01651105daa9f1e4c0143b45412115da3e8bc722ad6cf12096731172bfb8c404aed301c3815c48777d35

Download Submit
memory/1344-206-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1344-184-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1864-195-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3456-163-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3456-205-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4828-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4828-204-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5152-199-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5204-203-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads