3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942

Analysis

max time kernel
152s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
Size

19KB
MD5

a1ba8a9c32659299f0d46ce39ccb0923
SHA1

c3bfddf7ed573fefb02843cdc461e6db8c565c48
SHA256

3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942
SHA512

ad3edbdbf3f21cfec9a0717500c4296bf3e6d63a567cc26ace72acb705df373f92b9265421c0236a85928af5e8067f9ae07f44594e8fdf17f83183ae8a859577
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5SenSU:g5BOFKksO1mE9B77777J77c77c77c71t

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\AAD1DD.exe\""	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\AAD1DD.exe\""	AAD1DD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\AAD1DD.exe\""	AAD1DDRVUYQZ.exe

Executes dropped EXE 5 IoCs

pid	Process
1736	AAD1DD.exe
2244	AAD1DDRVUYQZ.exe
2688	AAD1DDRVUYQZ.exe
2744	AAD1DD.exe
2776	AAD1DD.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1788-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000a000000012319-72.dat	upx
behavioral1/files/0x000900000001232e-89.dat	upx
behavioral1/files/0x000900000001232e-91.dat	upx
behavioral1/files/0x000900000001232e-109.dat	upx
behavioral1/files/0x000a000000012319-112.dat	upx
behavioral1/files/0x000a000000012319-115.dat	upx
behavioral1/memory/2688-114-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2744-119-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000a000000012319-120.dat	upx
behavioral1/memory/1736-125-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2244-126-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2776-127-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2776-128-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1788-129-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1736-130-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2244-131-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAD1DD.exe = "C:\\Windows\\AAD1DD.exe"	AAD1DD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AAD1DDRVUYQZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAD1DD.exe = "C:\\Windows\\AAD1DD.exe"	AAD1DDRVUYQZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAD1DD.exe = "C:\\Windows\\AAD1DD.exe"	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AAD1DD.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AAD1DD.exe	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
File opened for modification	C:\Windows\AAD1DDRVUYQZ.exe	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
964	TASKKILL.exe
1048	TASKKILL.exe
872	TASKKILL.exe
588	TASKKILL.exe
1952	TASKKILL.exe
2512	TASKKILL.exe
1856	TASKKILL.exe
2120	TASKKILL.exe
2148	TASKKILL.exe
2304	TASKKILL.exe
2612	TASKKILL.exe
1588	TASKKILL.exe
2272	TASKKILL.exe
2284	TASKKILL.exe
2384	TASKKILL.exe
2652	TASKKILL.exe
628	TASKKILL.exe
1524	TASKKILL.exe
1800	TASKKILL.exe
1144	TASKKILL.exe
2176	TASKKILL.exe
2360	TASKKILL.exe
916	TASKKILL.exe
1228	TASKKILL.exe
956	TASKKILL.exe
1656	TASKKILL.exe
268	TASKKILL.exe
1920	TASKKILL.exe
1876	TASKKILL.exe
2064	TASKKILL.exe
2472	TASKKILL.exe
2580	TASKKILL.exe
1740	TASKKILL.exe
1696	TASKKILL.exe
840	TASKKILL.exe
1628	TASKKILL.exe
1660	TASKKILL.exe
2328	TASKKILL.exe
2408	TASKKILL.exe
2092	TASKKILL.exe
2444	TASKKILL.exe
2556	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	TASKKILL.exe
Token: SeDebugPrivilege	1920	TASKKILL.exe
Token: SeDebugPrivilege	1524	TASKKILL.exe
Token: SeDebugPrivilege	1588	TASKKILL.exe
Token: SeDebugPrivilege	956	TASKKILL.exe
Token: SeDebugPrivilege	964	TASKKILL.exe
Token: SeDebugPrivilege	1048	TASKKILL.exe
Token: SeDebugPrivilege	1228	TASKKILL.exe
Token: SeDebugPrivilege	1740	TASKKILL.exe
Token: SeDebugPrivilege	1696	TASKKILL.exe
Token: SeDebugPrivilege	268	TASKKILL.exe
Token: SeDebugPrivilege	1800	TASKKILL.exe
Token: SeDebugPrivilege	840	TASKKILL.exe
Token: SeDebugPrivilege	916	TASKKILL.exe
Token: SeDebugPrivilege	1628	TASKKILL.exe
Token: SeDebugPrivilege	1144	TASKKILL.exe
Token: SeDebugPrivilege	1856	TASKKILL.exe
Token: SeDebugPrivilege	588	TASKKILL.exe
Token: SeDebugPrivilege	1876	TASKKILL.exe
Token: SeDebugPrivilege	872	TASKKILL.exe
Token: SeDebugPrivilege	1656	TASKKILL.exe
Token: SeDebugPrivilege	1952	TASKKILL.exe
Token: SeDebugPrivilege	1660	TASKKILL.exe
Token: SeDebugPrivilege	2092	TASKKILL.exe
Token: SeDebugPrivilege	2064	TASKKILL.exe
Token: SeDebugPrivilege	2120	TASKKILL.exe
Token: SeDebugPrivilege	2148	TASKKILL.exe
Token: SeDebugPrivilege	2176	TASKKILL.exe
Token: SeDebugPrivilege	2284	TASKKILL.exe
Token: SeDebugPrivilege	2272	TASKKILL.exe
Token: SeDebugPrivilege	2472	TASKKILL.exe
Token: SeDebugPrivilege	2444	TASKKILL.exe
Token: SeDebugPrivilege	2328	TASKKILL.exe
Token: SeDebugPrivilege	2304	TASKKILL.exe
Token: SeDebugPrivilege	2360	TASKKILL.exe
Token: SeDebugPrivilege	2384	TASKKILL.exe
Token: SeDebugPrivilege	2408	TASKKILL.exe
Token: SeDebugPrivilege	2512	TASKKILL.exe
Token: SeDebugPrivilege	2556	TASKKILL.exe
Token: SeDebugPrivilege	2580	TASKKILL.exe
Token: SeDebugPrivilege	2612	TASKKILL.exe
Token: SeDebugPrivilege	2652	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
1736	AAD1DD.exe
2244	AAD1DDRVUYQZ.exe
2688	AAD1DDRVUYQZ.exe
2744	AAD1DD.exe
2776	AAD1DD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 916	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	28
PID 1788 wrote to memory of 916	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	28
PID 1788 wrote to memory of 916	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	28
PID 1788 wrote to memory of 916	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	28
PID 1788 wrote to memory of 1740	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	30
PID 1788 wrote to memory of 1740	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	30
PID 1788 wrote to memory of 1740	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	30
PID 1788 wrote to memory of 1740	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	30
PID 1788 wrote to memory of 1696	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	31
PID 1788 wrote to memory of 1696	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	31
PID 1788 wrote to memory of 1696	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	31
PID 1788 wrote to memory of 1696	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	31
PID 1788 wrote to memory of 964	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	33
PID 1788 wrote to memory of 964	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	33
PID 1788 wrote to memory of 964	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	33
PID 1788 wrote to memory of 964	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	33
PID 1788 wrote to memory of 1588	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	35
PID 1788 wrote to memory of 1588	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	35
PID 1788 wrote to memory of 1588	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	35
PID 1788 wrote to memory of 1588	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	35
PID 1788 wrote to memory of 628	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	37
PID 1788 wrote to memory of 628	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	37
PID 1788 wrote to memory of 628	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	37
PID 1788 wrote to memory of 628	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	37
PID 1788 wrote to memory of 1228	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	39
PID 1788 wrote to memory of 1228	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	39
PID 1788 wrote to memory of 1228	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	39
PID 1788 wrote to memory of 1228	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	39
PID 1788 wrote to memory of 268	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	42
PID 1788 wrote to memory of 268	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	42
PID 1788 wrote to memory of 268	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	42
PID 1788 wrote to memory of 268	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	42
PID 1788 wrote to memory of 1920	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	43
PID 1788 wrote to memory of 1920	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	43
PID 1788 wrote to memory of 1920	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	43
PID 1788 wrote to memory of 1920	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	43
PID 1788 wrote to memory of 840	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	44
PID 1788 wrote to memory of 840	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	44
PID 1788 wrote to memory of 840	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	44
PID 1788 wrote to memory of 840	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	44
PID 1788 wrote to memory of 1048	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	47
PID 1788 wrote to memory of 1048	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	47
PID 1788 wrote to memory of 1048	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	47
PID 1788 wrote to memory of 1048	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	47
PID 1788 wrote to memory of 1524	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	49
PID 1788 wrote to memory of 1524	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	49
PID 1788 wrote to memory of 1524	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	49
PID 1788 wrote to memory of 1524	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	49
PID 1788 wrote to memory of 1800	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	51
PID 1788 wrote to memory of 1800	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	51
PID 1788 wrote to memory of 1800	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	51
PID 1788 wrote to memory of 1800	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	51
PID 1788 wrote to memory of 956	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	53
PID 1788 wrote to memory of 956	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	53
PID 1788 wrote to memory of 956	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	53
PID 1788 wrote to memory of 956	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	53
PID 1788 wrote to memory of 1736	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	56
PID 1788 wrote to memory of 1736	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	56
PID 1788 wrote to memory of 1736	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	56
PID 1788 wrote to memory of 1736	1788	3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe	56
PID 1736 wrote to memory of 1628	1736	AAD1DD.exe	57
PID 1736 wrote to memory of 1628	1736	AAD1DD.exe	57
PID 1736 wrote to memory of 1628	1736	AAD1DD.exe	57
PID 1736 wrote to memory of 1628	1736	AAD1DD.exe	57

C:\Users\Admin\AppData\Local\Temp\3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe
"C:\Users\Admin\AppData\Local\Temp\3f882ccb96a1a9ad3ea5131447c859b76440f9116039927c9b70b4f07533a942.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\AAD1DD.exe
  C:\Windows\AAD1DD.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\AAD1DDRVUYQZ.exe
    C:\Windows\AAD1DDRVUYQZ.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2244
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2272
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2408
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2444
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2580
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2612
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2652
  - - C:\Windows\AAD1DDRVUYQZ.exe
      C:\Windows\AAD1DDRVUYQZ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2688
  - - C:\Windows\AAD1DD.exe
      C:\Windows\AAD1DD.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2744
- - C:\Windows\AAD1DD.exe
    C:\Windows\AAD1DD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AAD1DD.exe

Filesize
33KB

MD5
4ed0f79a2aa80fb40083586e669d5852

SHA1
c8776be2e983c162d82a9bf3c25cace7ba6ff823

SHA256
a0142620684517d4d5f5dbfce2c6ef785cfbfac5b7c03d17e6acbd131b57bc4c

SHA512
d4397e5aa431593ca098478c636c1356bdac6df96e8acd3c5e887cedd714d2fd5a9d93ab5a0735c77eef8e48ceb210e707feb501bfb3e0b0883db2f8be9d769d

Download Submit
C:\Windows\AAD1DD.exe

Filesize
33KB

MD5
4ed0f79a2aa80fb40083586e669d5852

SHA1
c8776be2e983c162d82a9bf3c25cace7ba6ff823

SHA256
a0142620684517d4d5f5dbfce2c6ef785cfbfac5b7c03d17e6acbd131b57bc4c

SHA512
d4397e5aa431593ca098478c636c1356bdac6df96e8acd3c5e887cedd714d2fd5a9d93ab5a0735c77eef8e48ceb210e707feb501bfb3e0b0883db2f8be9d769d

Download Submit
C:\Windows\AAD1DD.exe

Filesize
33KB

MD5
4ed0f79a2aa80fb40083586e669d5852

SHA1
c8776be2e983c162d82a9bf3c25cace7ba6ff823

SHA256
a0142620684517d4d5f5dbfce2c6ef785cfbfac5b7c03d17e6acbd131b57bc4c

SHA512
d4397e5aa431593ca098478c636c1356bdac6df96e8acd3c5e887cedd714d2fd5a9d93ab5a0735c77eef8e48ceb210e707feb501bfb3e0b0883db2f8be9d769d

Download Submit
C:\Windows\AAD1DD.exe

Filesize
33KB

MD5
4ed0f79a2aa80fb40083586e669d5852

SHA1
c8776be2e983c162d82a9bf3c25cace7ba6ff823

SHA256
a0142620684517d4d5f5dbfce2c6ef785cfbfac5b7c03d17e6acbd131b57bc4c

SHA512
d4397e5aa431593ca098478c636c1356bdac6df96e8acd3c5e887cedd714d2fd5a9d93ab5a0735c77eef8e48ceb210e707feb501bfb3e0b0883db2f8be9d769d

Download Submit
C:\Windows\AAD1DDRVUYQZ.exe

Filesize
20KB

MD5
df73e8d627434aaa212d3d3fd216c5cb

SHA1
1509c75449800a34e5103ef12a6737cb29149f3b

SHA256
b130dd0468aef5e3842e2fe5d6e1572495d98ada4fa7298e6b9a692aa643499f

SHA512
199c67190f5e0bf34aefdd85f080f8b38e5d8541c81fe2fc1e3e9c08a62bd1d217c5a4cd0d496dbc5bd33baa0fc74242355e9674de40288aa31a9b8f47238b4b

Download Submit
C:\Windows\AAD1DDRVUYQZ.exe

Filesize
20KB

MD5
df73e8d627434aaa212d3d3fd216c5cb

SHA1
1509c75449800a34e5103ef12a6737cb29149f3b

SHA256
b130dd0468aef5e3842e2fe5d6e1572495d98ada4fa7298e6b9a692aa643499f

SHA512
199c67190f5e0bf34aefdd85f080f8b38e5d8541c81fe2fc1e3e9c08a62bd1d217c5a4cd0d496dbc5bd33baa0fc74242355e9674de40288aa31a9b8f47238b4b

Download Submit
C:\Windows\AAD1DDRVUYQZ.exe

Filesize
20KB

MD5
df73e8d627434aaa212d3d3fd216c5cb

SHA1
1509c75449800a34e5103ef12a6737cb29149f3b

SHA256
b130dd0468aef5e3842e2fe5d6e1572495d98ada4fa7298e6b9a692aa643499f

SHA512
199c67190f5e0bf34aefdd85f080f8b38e5d8541c81fe2fc1e3e9c08a62bd1d217c5a4cd0d496dbc5bd33baa0fc74242355e9674de40288aa31a9b8f47238b4b

Download Submit
memory/1736-130-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1736-125-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1788-124-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/1788-129-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1788-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1788-123-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2244-131-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2244-126-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2688-114-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2744-119-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2776-127-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2776-128-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads