407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
Size

384KB
MD5

41b40f8bb29310334434eb60b1c1bc1d
SHA1

37f0e6be39d1e780247f2401afa71ce7de468886
SHA256

407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa
SHA512

4c835165766859084bc2439e16c4a08ba26728b79858fd0dd077e17f2b5809985e8101a944d98f851a081dcac1875de91f39038a2fa484a415f38b130aed147c
SSDEEP

6144:bJGK2pYLlY4c6ue7lfhTuJZrM4l8KONb6/SPcGHciKjyISzTOILNhWOmzTTKWiYy:FGK2pYLlY4c6ue7lfhTuJZrM4l8KONbq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pkwep.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yY6uXQd3.exe

Executes dropped EXE 6 IoCs

pid	Process
4116	yY6uXQd3.exe
4988	pkwep.exe
1720	2cmd.exe
4944	2cmd.exe
1404	3cmd.exe
4516	4cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4944-156-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4944-155-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4944-152-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4944-157-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yY6uXQd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /A"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /p"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /y"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /r"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /z"	pkwep.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /J"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /u"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /o"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /X"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /L"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /P"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /K"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /C"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /K"	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /E"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /Q"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /j"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /v"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /q"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /N"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /c"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /M"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /d"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /k"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /l"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /G"	pkwep.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /T"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /w"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /R"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /F"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /Z"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /O"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /D"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /S"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /U"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /H"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /h"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /x"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /B"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /b"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /i"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /V"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /Y"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /n"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /t"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /f"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /s"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /W"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /I"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /e"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /a"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /m"	pkwep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pkwep = "C:\\Users\\Admin\\pkwep.exe /g"	pkwep.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 4944	1720	2cmd.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4556	tasklist.exe
4968	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4116	yY6uXQd3.exe
4116	yY6uXQd3.exe
4116	yY6uXQd3.exe
4116	yY6uXQd3.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
1404	3cmd.exe
1404	3cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4988	pkwep.exe
4988	pkwep.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe
4944	2cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	tasklist.exe
Token: SeDebugPrivilege	1404	3cmd.exe
Token: SeDebugPrivilege	1404	3cmd.exe
Token: SeDebugPrivilege	4556	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
4116	yY6uXQd3.exe
4988	pkwep.exe
1720	2cmd.exe
4516	4cmd.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 480 wrote to memory of 4116	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	82
PID 480 wrote to memory of 4116	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	82
PID 480 wrote to memory of 4116	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	82
PID 4116 wrote to memory of 4988	4116	yY6uXQd3.exe	83
PID 4116 wrote to memory of 4988	4116	yY6uXQd3.exe	83
PID 4116 wrote to memory of 4988	4116	yY6uXQd3.exe	83
PID 4116 wrote to memory of 4960	4116	yY6uXQd3.exe	85
PID 4116 wrote to memory of 4960	4116	yY6uXQd3.exe	85
PID 4116 wrote to memory of 4960	4116	yY6uXQd3.exe	85
PID 480 wrote to memory of 1720	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	86
PID 480 wrote to memory of 1720	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	86
PID 480 wrote to memory of 1720	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	86
PID 4960 wrote to memory of 4968	4960	cmd.exe	87
PID 4960 wrote to memory of 4968	4960	cmd.exe	87
PID 4960 wrote to memory of 4968	4960	cmd.exe	87
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 1720 wrote to memory of 4944	1720	2cmd.exe	88
PID 480 wrote to memory of 1404	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	89
PID 480 wrote to memory of 1404	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	89
PID 480 wrote to memory of 1404	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	89
PID 480 wrote to memory of 4516	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	90
PID 480 wrote to memory of 4516	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	90
PID 480 wrote to memory of 4516	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	90
PID 480 wrote to memory of 2968	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	98
PID 480 wrote to memory of 2968	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	98
PID 480 wrote to memory of 2968	480	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	98
PID 2968 wrote to memory of 4556	2968	cmd.exe	100
PID 2968 wrote to memory of 4556	2968	cmd.exe	100
PID 2968 wrote to memory of 4556	2968	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
"C:\Users\Admin\AppData\Local\Temp\407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:480
- C:\Users\Admin\yY6uXQd3.exe
  C:\Users\Admin\yY6uXQd3.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\pkwep.exe
    "C:\Users\Admin\pkwep.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del yY6uXQd3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- C:\Users\Admin\2cmd.exe
  C:\Users\Admin\2cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\2cmd.exe
    "C:\Users\Admin\2cmd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- C:\Users\Admin\3cmd.exe
  C:\Users\Admin\3cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Users\Admin\4cmd.exe
  C:\Users\Admin\4cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
C:\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
C:\Users\Admin\pkwep.exe

Filesize
264KB

MD5
95c98573d217d414c96451d2b5959c5b

SHA1
299ccb446624e9c6071a6d65026e3d96ec2a89f5

SHA256
1ecc6e3b908e1c15b7ec722af993d6af326ab0391521d99f5aa19c61296efbd5

SHA512
a3b84a7f267c29cebae53785b161ba3b1032caf486f6f3ba1de3526d07ca3007d152ea3a2f1ca4673dab24603720e3e11652dad0cb0047dc42f51cc5f712ecb0

Download Submit
C:\Users\Admin\pkwep.exe

Filesize
264KB

MD5
95c98573d217d414c96451d2b5959c5b

SHA1
299ccb446624e9c6071a6d65026e3d96ec2a89f5

SHA256
1ecc6e3b908e1c15b7ec722af993d6af326ab0391521d99f5aa19c61296efbd5

SHA512
a3b84a7f267c29cebae53785b161ba3b1032caf486f6f3ba1de3526d07ca3007d152ea3a2f1ca4673dab24603720e3e11652dad0cb0047dc42f51cc5f712ecb0

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
memory/1404-162-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/1404-158-0x0000000000000000-mapping.dmp

Download
memory/1404-164-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1404-163-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1404-161-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1720-145-0x0000000000000000-mapping.dmp

Download
memory/2968-170-0x0000000000000000-mapping.dmp

Download
memory/4116-134-0x0000000000000000-mapping.dmp

Download
memory/4516-165-0x0000000000000000-mapping.dmp

Download
memory/4556-171-0x0000000000000000-mapping.dmp

Download
memory/4944-157-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4944-151-0x0000000000000000-mapping.dmp

Download
memory/4944-155-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4944-152-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4944-156-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4960-144-0x0000000000000000-mapping.dmp

Download
memory/4968-150-0x0000000000000000-mapping.dmp

Download
memory/4988-139-0x0000000000000000-mapping.dmp

Download