42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

Analysis

max time kernel
140s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
Size

260KB
MD5

e8a7307f1acfc2666767a13d3781931f
SHA1

b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207
SHA256

42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802
SHA512

dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895
SSDEEP

6144:vCjWDc83SYtXGLdTUAw1mBu7hPF4Rx1bVuhbApPwA:vCjWxjWhZyhPFGHbVuhbmP

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\list\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Generic Host Process"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\list\C:\Windows\SysWOW64\msiexec.exe = "C:\\Windows\\SysWOW64\\msiexec.exe:*:Generic Host Process"	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	svchost.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\44234 = "c:\\progra~3\\dxgakedph.exe"	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
1252	RMWRNT91.exe
1564	dxgakedph.exe
1064	dxgakedph.exe
768	RLVRMT8.exe
1600	dxgakedph.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-60-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1820-63-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1820-64-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1820-80-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1064-121-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1820-140-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/1064-156-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Loads dropped DLL 12 IoCs

pid	Process
1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1100	msiexec.exe
1100	msiexec.exe
1564	dxgakedph.exe
1064	dxgakedph.exe
1064	dxgakedph.exe
1064	dxgakedph.exe
1064	dxgakedph.exe
1564	dxgakedph.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	dxgakedph.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	dxgakedph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 set thread context of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 1564 set thread context of 1064	1564	dxgakedph.exe	33
PID 1564 set thread context of 1600	1564	dxgakedph.exe	35
PID 1252 set thread context of 1812	1252	RMWRNT91.exe	37
PID 768 set thread context of 1284	768	RLVRMT8.exe	42

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	\??\c:\progra~3\dxgakedph.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000007ab574cc07d46f67585eea8fa95ccadbde4d40a1fe6095d3afaea2496c9c073c000000000e80000000020000200000005bafb5394bc6138fce812ee9ad0c99d13219498a5684a755b0475e248621e5009000000014bb096d4fda6093f8304c934fecfd349461ed876635d500a33226756ab11f983a2621260d75dd398d435e426a29786931fb6b4416c6f919c6c260e6efbc537184c0c4bc308593a7a109279bb0d6fc3795119cfe37593ec87c3a693f4285e3df32e9e7a27f54ac9e2ebf2fb48347001319638992a97f292d1b3a5d71a476d1f2e34f7c479a42af68b3086005522957a74000000003a3da5fa1428d11b3ccac03b9b348f7659484ed68cc48456f7b6940570f35c4b3f9e227feb450b0ec0d3a56612a78921d78de3ce1f22c494ee844842b4e23e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373832423"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800928cfc2ebd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0ED25A1-57B5-11ED-979E-6A94EDCEDC7A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000019356c71794e4f36bb4053e1d176a846d0832204e69476e844237d9ea468347e000000000e80000000020000200000007ca84ac72d3500a504f90aa90714db9b8b5cd27ed6ff3afcfcc4844adce35b3b20000000acb60cc074b7e1c02e9341a31c5eb39da97b985e6b090a4d8048226314b162bd40000000c2a9438d43f876c5a3d8ec3cdbc294aaa83107d41e3eb69f923115f339399cf3fc3c9bf242c40a5811054778ca8de4d6296784836fff1e1ee55ed141fe90b4f5	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1600	dxgakedph.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1600	dxgakedph.exe
1600	dxgakedph.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	RMWRNT91.exe
Token: SeDebugPrivilege	768	RLVRMT8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1744	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
1564	dxgakedph.exe
1064	dxgakedph.exe
1744	iexplore.exe
1744	iexplore.exe
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 2012 wrote to memory of 1820	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	28
PID 1820 wrote to memory of 1252	1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	29
PID 1820 wrote to memory of 1252	1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	29
PID 1820 wrote to memory of 1252	1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	29
PID 1820 wrote to memory of 1252	1820	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	29
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 2012 wrote to memory of 1428	2012	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	30
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1428 wrote to memory of 1100	1428	42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe	31
PID 1100 wrote to memory of 1564	1100	msiexec.exe	32
PID 1100 wrote to memory of 1564	1100	msiexec.exe	32
PID 1100 wrote to memory of 1564	1100	msiexec.exe	32
PID 1100 wrote to memory of 1564	1100	msiexec.exe	32
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1564 wrote to memory of 1064	1564	dxgakedph.exe	33
PID 1064 wrote to memory of 768	1064	dxgakedph.exe	34
PID 1064 wrote to memory of 768	1064	dxgakedph.exe	34
PID 1064 wrote to memory of 768	1064	dxgakedph.exe	34
PID 1064 wrote to memory of 768	1064	dxgakedph.exe	34
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1564 wrote to memory of 1600	1564	dxgakedph.exe	35
PID 1600 wrote to memory of 1716	1600	dxgakedph.exe	36
PID 1600 wrote to memory of 1716	1600	dxgakedph.exe	36
PID 1600 wrote to memory of 1716	1600	dxgakedph.exe	36
PID 1600 wrote to memory of 1716	1600	dxgakedph.exe	36
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37
PID 1252 wrote to memory of 1812	1252	RMWRNT91.exe	37

C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
"C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
  "C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\RMWRNT91.exe
    "C:\Users\Admin\AppData\Local\Temp\RMWRNT91.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      PID:1812
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1744
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:284
- C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe
  "C:\Users\Admin\AppData\Local\Temp\42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Modifies firewall policy service
    - Adds policy Run key to start application
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - \??\c:\progra~3\dxgakedph.exe
      c:\progra~3\dxgakedph.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1564
    - - \??\c:\progra~3\dxgakedph.exe
        
        c:\progra~3\dxgakedph.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\RLVRMT8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLVRMT8.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        7⤵
        
        PID:1284
    - - \??\c:\progra~3\dxgakedph.exe
        
        c:\progra~3\dxgakedph.exe
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        6⤵
        Modifies firewall policy service
        
        PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
C:\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
C:\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MIFT18GD.txt

Filesize
608B

MD5
b7fffd4cf7bf2772d3c5eba9cf78942c

SHA1
7afdc71407a6aefdd10443892277391ff3d7c7e0

SHA256
66e5780b30ee598c4df9d9d3041d7ec9b3ebdca43e1e15c8b387d1cccebb32b6

SHA512
4032ccc26b07f86a74b5e759170199f692c97cb6e3d94bb657d45f2ef10b50a6f83cdfa9cd31ff269b0025c22751d0855a4a76c70e93408d1b1f41873f712f54

Download Submit
\??\c:\progra~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
\PROGRA~3\dxgakedph.exe

Filesize
260KB

MD5
e8a7307f1acfc2666767a13d3781931f

SHA1
b7c0138e3e5fd4ccbd3a6e3d1d9df33cbdcfa207

SHA256
42b14a149ad3d9d5e9f5e6863e33c44d6333a3b3ca18f9ec915412720a4d9802

SHA512
dabe9a37abd85e29912d016087d3de3b184b015da3c6d2e06fc8a28f62ea13e487730de0d29d794e6abf1f24037c756a68eda1a9207179f733fa7feff991f895

Download Submit
\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RLVRMT8.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
\Users\Admin\AppData\Local\Temp\RMWRNT91.exe

Filesize
239KB

MD5
7e19038bf810452444507e923af1293b

SHA1
ee47f842dcd607e721293665136d65239c7d0b89

SHA256
d81800d71979f662036525ffc37ac7fb4d87ee975809ab5155960013eec19f61

SHA512
d04ee02519a510d568dc8cabc46fb535550ca13120650020c1a32ed220ff2342854f5a37e6c559dd43c5a6ab5e3c2b914972933d184ff944fa57abdb9c202f2b

Download Submit
memory/768-122-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/768-155-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/768-112-0x0000000000000000-mapping.dmp

Download
memory/768-141-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-98-0x00000000004423C0-mapping.dmp

Download
memory/1100-87-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/1100-86-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/1100-83-0x0000000000000000-mapping.dmp

Download
memory/1100-85-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1252-139-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-88-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-81-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1252-72-0x0000000000000000-mapping.dmp

Download
memory/1284-149-0x0000000000424ABE-mapping.dmp

Download
memory/1428-82-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1428-78-0x0000000000401B10-mapping.dmp

Download
memory/1428-77-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1564-102-0x0000000000318000-0x000000000031A000-memory.dmp

Filesize
8KB

Download
memory/1564-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-91-0x0000000000000000-mapping.dmp

Download
memory/1564-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-118-0x0000000000401B10-mapping.dmp

Download
memory/1716-123-0x0000000000000000-mapping.dmp

Download
memory/1716-125-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1716-142-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/1716-126-0x000000007EFA0000-0x000000007EFA6000-memory.dmp

Filesize
24KB

Download
memory/1812-127-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-128-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-130-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-133-0x0000000000424ABE-mapping.dmp

Download
memory/1820-67-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1820-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-61-0x00000000004423C0-mapping.dmp

Download
memory/2012-58-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2012-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download