Analysis
-
max time kernel
161s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 01:43
Static task
static1
Behavioral task
behavioral1
Sample
3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe
Resource
win10v2004-20220812-en
General
-
Target
3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe
-
Size
548KB
-
MD5
7433061971233a4134cbac454a2f736c
-
SHA1
2e2dc1d3f18df33b30d3d85633da142d48c51a84
-
SHA256
3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce
-
SHA512
3d26dc69dc7133c7f2ad0088fb6f077382543e52bf3193e7995058dfecb5a1f19906ac5cb3b9624760d5e74b7e30add055c1a269045b7f9d3d54cc0414502e4a
-
SSDEEP
12288:WbEtWoMZfaFtuKo5qKMnLYuyqnzN+y1kz1LxCOAwst:yloUf+o5qJnV9+y1IXs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jyCd5od0b9.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bauwo.exe -
Executes dropped EXE 10 IoCs
pid Process 4156 jyCd5od0b9.exe 2736 2aag.exe 4464 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4548 2aag.exe 3844 2aag.exe 4864 2aag.exe 2668 3aag.exe 772 X -
resource yara_rule behavioral2/memory/4464-145-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4464-148-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4464-151-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/3712-150-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3712-154-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3712-155-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4548-165-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3844-169-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4548-167-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/4548-159-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3844-174-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/3844-176-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4464-180-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/3712-181-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4548-182-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/3844-183-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4464-185-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4548-199-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation jyCd5od0b9.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /G" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /u" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /j" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /B" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /M" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /x" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /Y" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /F" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /X" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /L" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /z" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /R" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /J" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /b" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /N" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /g" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /K" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /h" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /P" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /e" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /U" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /A" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /h" jyCd5od0b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /y" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /n" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /O" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /w" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /o" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /r" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /H" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /T" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /c" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /k" bauwo.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /Z" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /i" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /p" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /d" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /a" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /E" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /v" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /l" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /q" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /W" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /V" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /I" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /C" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /S" bauwo.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ jyCd5od0b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /D" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /f" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /m" bauwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bauwo = "C:\\Users\\Admin\\bauwo.exe /Q" bauwo.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2aag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2aag.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2736 set thread context of 4464 2736 2aag.exe 85 PID 2736 set thread context of 3712 2736 2aag.exe 86 PID 2736 set thread context of 4548 2736 2aag.exe 87 PID 2736 set thread context of 3844 2736 2aag.exe 89 PID 2736 set thread context of 4864 2736 2aag.exe 92 PID 2668 set thread context of 3680 2668 3aag.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2764 4864 WerFault.exe 92 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4988 tasklist.exe 4280 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4156 jyCd5od0b9.exe 4156 jyCd5od0b9.exe 3712 2aag.exe 3712 2aag.exe 4156 jyCd5od0b9.exe 4156 jyCd5od0b9.exe 4548 2aag.exe 4548 2aag.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4548 2aag.exe 4548 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 2668 3aag.exe 2668 3aag.exe 772 X 772 X 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe 4872 bauwo.exe 4872 bauwo.exe 3712 2aag.exe 3712 2aag.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2980 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4988 tasklist.exe Token: SeDebugPrivilege 2668 3aag.exe Token: SeDebugPrivilege 2668 3aag.exe Token: SeShutdownPrivilege 2980 Explorer.EXE Token: SeCreatePagefilePrivilege 2980 Explorer.EXE Token: SeShutdownPrivilege 2980 Explorer.EXE Token: SeCreatePagefilePrivilege 2980 Explorer.EXE Token: SeDebugPrivilege 4280 tasklist.exe Token: SeShutdownPrivilege 2980 Explorer.EXE Token: SeCreatePagefilePrivilege 2980 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 4156 jyCd5od0b9.exe 2736 2aag.exe 4464 2aag.exe 4872 bauwo.exe 3844 2aag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 4156 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 83 PID 2732 wrote to memory of 4156 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 83 PID 2732 wrote to memory of 4156 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 83 PID 2732 wrote to memory of 2736 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 84 PID 2732 wrote to memory of 2736 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 84 PID 2732 wrote to memory of 2736 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 84 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 4464 2736 2aag.exe 85 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 3712 2736 2aag.exe 86 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 2736 wrote to memory of 4548 2736 2aag.exe 87 PID 4156 wrote to memory of 4872 4156 jyCd5od0b9.exe 88 PID 4156 wrote to memory of 4872 4156 jyCd5od0b9.exe 88 PID 4156 wrote to memory of 4872 4156 jyCd5od0b9.exe 88 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 2736 wrote to memory of 3844 2736 2aag.exe 89 PID 4156 wrote to memory of 4848 4156 jyCd5od0b9.exe 90 PID 4156 wrote to memory of 4848 4156 jyCd5od0b9.exe 90 PID 4156 wrote to memory of 4848 4156 jyCd5od0b9.exe 90 PID 2736 wrote to memory of 4864 2736 2aag.exe 92 PID 2736 wrote to memory of 4864 2736 2aag.exe 92 PID 2736 wrote to memory of 4864 2736 2aag.exe 92 PID 2736 wrote to memory of 4864 2736 2aag.exe 92 PID 4848 wrote to memory of 4988 4848 cmd.exe 97 PID 4848 wrote to memory of 4988 4848 cmd.exe 97 PID 4848 wrote to memory of 4988 4848 cmd.exe 97 PID 4872 wrote to memory of 4988 4872 bauwo.exe 97 PID 4872 wrote to memory of 4988 4872 bauwo.exe 97 PID 2732 wrote to memory of 2668 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 99 PID 2732 wrote to memory of 2668 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 99 PID 2732 wrote to memory of 2668 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 99 PID 2668 wrote to memory of 772 2668 3aag.exe 100 PID 2668 wrote to memory of 772 2668 3aag.exe 100 PID 772 wrote to memory of 2980 772 X 54 PID 2668 wrote to memory of 3680 2668 3aag.exe 101 PID 2668 wrote to memory of 3680 2668 3aag.exe 101 PID 2668 wrote to memory of 3680 2668 3aag.exe 101 PID 2668 wrote to memory of 3680 2668 3aag.exe 101 PID 2732 wrote to memory of 2180 2732 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe"C:\Users\Admin\AppData\Local\Temp\3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\jyCd5od0b9.exeC:\Users\Admin\jyCd5od0b9.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\bauwo.exe"C:\Users\Admin\bauwo.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4872
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del jyCd5od0b9.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
-
C:\Users\Admin\2aag.exeC:\Users\Admin\2aag.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\2aag.exe"C:\Users\Admin\2aag.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4464
-
-
C:\Users\Admin\2aag.exe"C:\Users\Admin\2aag.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
-
C:\Users\Admin\2aag.exe"C:\Users\Admin\2aag.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Users\Admin\2aag.exe"C:\Users\Admin\2aag.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844
-
-
C:\Users\Admin\2aag.exe"C:\Users\Admin\2aag.exe"4⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 805⤵
- Program crash
PID:2764
-
-
-
-
C:\Users\Admin\3aag.exeC:\Users\Admin\3aag.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\3d215881\X*0*bc*395010c6*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 3b117713fb73f1a6f2a44ac1087d78e3501e9c301aa4b69346dbc2b9664a24ce.exe3⤵PID:2180
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4864 -ip 48641⤵PID:1784
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
128KB
MD52b4ee5d4acacc3528ba7c3a58bd29c41
SHA181b91ba52c39da729feecf26c02798b981662448
SHA25678c58e327fb0dbc782ba27eabb7ba2765c20d9ac44df3460e6059d0c97c0ad12
SHA512fde7b774c2853664c2d97baba56df64ce38c56104cd0c6f2702730f69c1db6f8b8e03856e125d92e1bc737dad2f9dd1f0f5cad565e5cd4cd093be93da8d8d965
-
Filesize
286KB
MD5cb278b7760c080ea4f57aea471f0f674
SHA12c052b2db7a196d127c2b84b62563d0c98ec0413
SHA25674cb6a456be0e9bad997e8c97475c47ab27c40d3627484f7b38a86bd01c78930
SHA512dbdf6a95b53a53f3a3dd929e0b1d63d512c00e9d28bf2f05c3e63707f0208f4f311adc637bb97a9d05bdb6bad9d6c7021aeec8c99ffe7033212e7763d4046bd3
-
Filesize
286KB
MD5cb278b7760c080ea4f57aea471f0f674
SHA12c052b2db7a196d127c2b84b62563d0c98ec0413
SHA25674cb6a456be0e9bad997e8c97475c47ab27c40d3627484f7b38a86bd01c78930
SHA512dbdf6a95b53a53f3a3dd929e0b1d63d512c00e9d28bf2f05c3e63707f0208f4f311adc637bb97a9d05bdb6bad9d6c7021aeec8c99ffe7033212e7763d4046bd3
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
260KB
MD5261b31abb611ee07529151b40de09fd9
SHA1ff975eae0872a6502e1b7eaeae0b2ed9269676e5
SHA2560464f257ca3ad50ec12a787bceaf1b06b9ec458695727889fdccdc565f5e2d15
SHA512691ac50e63a9528a973315e87d62fb100629f4c481454ad6d0c5f2d8924fc87b5ca8a1eb0cb7a4621d8393b0a860d909ae0800d2c669c1055a2fbdee788d94e1
-
Filesize
260KB
MD5261b31abb611ee07529151b40de09fd9
SHA1ff975eae0872a6502e1b7eaeae0b2ed9269676e5
SHA2560464f257ca3ad50ec12a787bceaf1b06b9ec458695727889fdccdc565f5e2d15
SHA512691ac50e63a9528a973315e87d62fb100629f4c481454ad6d0c5f2d8924fc87b5ca8a1eb0cb7a4621d8393b0a860d909ae0800d2c669c1055a2fbdee788d94e1
-
Filesize
260KB
MD5b0c9b92f068e2ac7770334e56e0c5017
SHA14d73d45c04e4e8af4fa81403d812fac1b94a75c0
SHA2566a1fbc078e3b75354607179c7af71cdc80e40d5a787929fe9d174998a7b75888
SHA5120d08f35abc9363db287449953a23d69f49bb11a2755378b82b66acba07f2588acce85a2f0f9c7a1fbdc7e049507ff5293e9ec33fc8cc847c860c80bb39c8c26a
-
Filesize
260KB
MD5b0c9b92f068e2ac7770334e56e0c5017
SHA14d73d45c04e4e8af4fa81403d812fac1b94a75c0
SHA2566a1fbc078e3b75354607179c7af71cdc80e40d5a787929fe9d174998a7b75888
SHA5120d08f35abc9363db287449953a23d69f49bb11a2755378b82b66acba07f2588acce85a2f0f9c7a1fbdc7e049507ff5293e9ec33fc8cc847c860c80bb39c8c26a