Analysis
-
max time kernel
60s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
31/10/2022, 22:53
Behavioral task
behavioral1
Sample
226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Resource
win10v2004-20220812-en
General
-
Target
226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
-
Size
4.1MB
-
MD5
5399ff9c8181e7600a5d20b9521f8ef6
-
SHA1
2956df5c6bdab3e9c6bf2f17f6712943d2c4533a
-
SHA256
226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54
-
SHA512
d4ab3b67dcf604eda4b948643e6a3c10b56372e1a8ef74fd5e567c04a01de979ff505c2b2cb3b882b50ccb88e31b613a3207b10468e4016f2f78fa4f9737e88b
-
SSDEEP
98304:Xl4CN9s4aaJ6JiTzYOtN1yMRH74VGjbDoLoq+SXfSX:Vh5JqiTzL1yMPq/XfSX
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1420 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1896 jlhLVVvnT 1524 eYE5FB1jlh.exe 1468 TlYcAgLotB.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ZS3Hh2uG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ZS3Hh2uG.sys" TlYcAgLotB.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\L9DgpOL_S1\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\L9DgpOL_S1.sys" TlYcAgLotB.exe -
resource yara_rule behavioral1/memory/1340-55-0x0000000001190000-0x00000000019D8000-memory.dmp upx behavioral1/files/0x0007000000014d2f-71.dat upx behavioral1/files/0x0007000000014d2f-73.dat upx behavioral1/memory/1896-77-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1340-97-0x0000000001190000-0x00000000019D8000-memory.dmp upx behavioral1/files/0x0006000000015648-98.dat upx behavioral1/files/0x0006000000015648-100.dat upx behavioral1/memory/1468-103-0x000000013FE20000-0x000000013FE57000-memory.dmp upx behavioral1/memory/1340-109-0x0000000001190000-0x00000000019D8000-memory.dmp upx behavioral1/memory/1896-112-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x0007000000014d2f-113.dat upx -
Loads dropped DLL 5 IoCs
pid Process 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1896 jlhLVVvnT 1896 jlhLVVvnT -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\R: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\T: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\Y: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\A: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\U: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\V: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\X: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\P: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\E: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\F: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\H: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\J: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\L: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\M: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\O: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\S: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\Z: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\G: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\I: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\K: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\N: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\Q: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe File opened (read-only) \??\W: 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT 1896 jlhLVVvnT -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 464 Process not Found 464 Process not Found 1468 TlYcAgLotB.exe 1468 TlYcAgLotB.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeBackupPrivilege 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Token: SeRestorePrivilege 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe Token: SeBackupPrivilege 1896 jlhLVVvnT Token: SeRestorePrivilege 1896 jlhLVVvnT Token: SeBackupPrivilege 1896 jlhLVVvnT Token: SeRestorePrivilege 1896 jlhLVVvnT Token: SeLoadDriverPrivilege 1468 TlYcAgLotB.exe Token: SeBackupPrivilege 1896 jlhLVVvnT Token: SeRestorePrivilege 1896 jlhLVVvnT -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1340 wrote to memory of 1420 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 28 PID 1340 wrote to memory of 1420 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 28 PID 1340 wrote to memory of 1420 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 28 PID 1340 wrote to memory of 1420 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 28 PID 1340 wrote to memory of 1896 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 31 PID 1340 wrote to memory of 1896 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 31 PID 1340 wrote to memory of 1896 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 31 PID 1340 wrote to memory of 1896 1340 226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe 31 PID 1896 wrote to memory of 1524 1896 jlhLVVvnT 33 PID 1896 wrote to memory of 1524 1896 jlhLVVvnT 33 PID 1896 wrote to memory of 1524 1896 jlhLVVvnT 33 PID 1896 wrote to memory of 1524 1896 jlhLVVvnT 33 PID 1524 wrote to memory of 1276 1524 eYE5FB1jlh.exe 35 PID 1524 wrote to memory of 1276 1524 eYE5FB1jlh.exe 35 PID 1524 wrote to memory of 1276 1524 eYE5FB1jlh.exe 35 PID 1524 wrote to memory of 1276 1524 eYE5FB1jlh.exe 35 PID 1896 wrote to memory of 1468 1896 jlhLVVvnT 37 PID 1896 wrote to memory of 1468 1896 jlhLVVvnT 37 PID 1896 wrote to memory of 1468 1896 jlhLVVvnT 37 PID 1896 wrote to memory of 1468 1896 jlhLVVvnT 37 PID 1468 wrote to memory of 572 1468 TlYcAgLotB.exe 38 PID 1468 wrote to memory of 572 1468 TlYcAgLotB.exe 38 PID 1468 wrote to memory of 572 1468 TlYcAgLotB.exe 38 PID 1896 wrote to memory of 1148 1896 jlhLVVvnT 40 PID 1896 wrote to memory of 1148 1896 jlhLVVvnT 40 PID 1896 wrote to memory of 1148 1896 jlhLVVvnT 40 PID 1896 wrote to memory of 1148 1896 jlhLVVvnT 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"C:\Users\Admin\AppData\Local\Temp\226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exeC:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\jlhLVVvnT2001 5399FF9C8181E7600A5D20B9521F8EF6 842⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exeC:\Users\Admin\AppData\Local\Temp\eYE5FB1jlh.exe C:\Users\Admin\AppData\Local\Temp\eYE5FB0jlh.dat3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EYE5FB~1.EXE >> NUL4⤵PID:1276
-
-
-
C:\Users\Admin\AppData\Local\Temp\TlYcAgLotB.exeC:\Users\Admin\AppData\Local\Temp\ZS3Hh2uG.sys3⤵
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\TLYCAG~1.EXE >> NUL4⤵PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JLHLVV~1 >> NUL3⤵PID:1148
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD51a295f69dfd5c6f54042f8bc5b31a6af
SHA1d2b64e2902114ce584f382cbd78b06354b6b14f7
SHA256b14043ac188588e6e6282e515cc581ca0aaae5fbf84a0cf087204bae7fcdad55
SHA5123ed6b02a4b6f723f5ca54e78e2c787e5670cc7bec3e3517e06fdc57afe966fbb62b3702bf6cc6a903fd8ef83ea6f79949018e35b7ca4d93cd3f8e865bc2e724f
-
Filesize
472B
MD583343201c58ce331a5de9b207a0542a7
SHA1678743995d807544cebfbf82d534094f8c356231
SHA25627cc0e7305dfab9ab96d7a06655d4b699e42b30a075be7c1fe22d4736d20f115
SHA512ab1d3da9a6977dbe6814466ca17092707e47a9e49f5767b2cfea0d23d41e207cb64d4427afec5aa14c1735b9f9ec34db1a8954d779d49457bf3ea14e494c772c
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5136889ac23008bfdfefb91c9e5d8a11d
SHA18343b8ef34dc565eda256e042b43064cb8017131
SHA25635188ecd41bd046f9f71e26f5404d5406be5e20bf8f2b6963adaec084783bef5
SHA512b19722ef132c9169aa442b87f633f915934a51ea4164c674864aaffe4b01dd7ad6b7488450ca14b6d1467eb231e6941cad0aab29733ae4fa6b7df7d2a2f75bdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD52867ce7d2d7815a64513046b43651098
SHA114abccac4b083847bd45b75b2f961658ce102581
SHA25601edfade18de3223ee71523c90bb063b51b5a06ded7532bad52d1062ec0ab3b3
SHA51233bc9242ce7f7a6014fc7874b8ee32ac94f92ee3294b503531b0a21102180f6de3133038e43e512666efa95d326c2b6e8a83a7b0a1ef6755bc888dd0a3304ac6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\400EC0C30337DCB94CB9C65FAB2BF5CA
Filesize476B
MD5bf590d9a3e929861d2533ff2b328fe40
SHA1bb59528c458e7c19dbdfd9dac15a8767e7b24964
SHA256c751a6ab02852b445e2db9e74cc6fc41e131b40c96a961b2a8bd56232476efd0
SHA5122f4c23130ba5d264a1f81c7ba76ed9bb9f62a4bea6a4bdd3a660110ce25ccb7eabd72509fcc8f02aceb94701c7ecc93fcf80dce278e22ed7d9f60842f1cf73a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e740351645128f3ee51f973ab6fea4ed
SHA1f7fcad0f25466ba74189bb26b4b3dbcfac91673c
SHA25679e719147509da5692a81bd47f79fa641df1ca4fd6da17ad843f9a1f627ce820
SHA512646f47069f063da0d162b0436db60df8abf8f78848a34f8aa3414f7d33f18917ec3e947856aab371cc130c85bddc9179f34f7dd19b99a60d1e9aaefc7a28a82b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD582b7eab0fbc3065bb0ae647388fc9fe7
SHA112163d31764664fc87b76e6a5cda91cd7d747cf4
SHA2563500c638861a2749bf5a498a0d2d59b555e628ac4098d5ff5326b9a5ffd2c579
SHA5126251943e9e7aca115ccb96e2205894cde8391835bab5ff6f1960b4075c8dee25e732e57e6b4f5204733a9bc7d7a6d6ec5ce3ade23c67f10c2159b00041a0d97d
-
Filesize
102KB
MD54c839dc7014281acda2456d611ac73b7
SHA113073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA5129b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea
-
Filesize
77KB
MD5cd3f1df2d4a06ac82cd816bc799dd65e
SHA1a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA51260f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0
-
Filesize
77KB
MD5cd3f1df2d4a06ac82cd816bc799dd65e
SHA1a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA51260f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0
-
Filesize
201KB
MD5f79f5ce86c81d6b0edb45a4a92c572af
SHA14f8fe0760f075c60831513637935049c697d9725
SHA256d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA5120773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d
-
Filesize
201KB
MD5f79f5ce86c81d6b0edb45a4a92c572af
SHA14f8fe0760f075c60831513637935049c697d9725
SHA256d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA5120773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d
-
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Filesize4.0MB
MD548eed6e83346784e2213509f4892c0b7
SHA1d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA5120f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b
-
C:\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Filesize4.0MB
MD548eed6e83346784e2213509f4892c0b7
SHA1d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA5120f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b
-
Filesize
102KB
MD54c839dc7014281acda2456d611ac73b7
SHA113073f7b2d0ce49143d021cec9d863c0597a6f3e
SHA256188dca807ca0613941037af948e42527f9a7be9ff8bd80ff083cf0670a54c31e
SHA5129b9030287fb84c7ee616b2829f2797b867d26a3d034e83d5f06b4aea643cfc0cc1c5892892ab415c2d0d8e9922684fe0143e5fecb8f686d3db37bb1a87d631ea
-
Filesize
77KB
MD5cd3f1df2d4a06ac82cd816bc799dd65e
SHA1a77c7aa9b4857d0ec504403528e2cfe625b6bc83
SHA256ba2a2ae38a31d5f4ae98cd3e7c21792d36f2386a252ebd506353d1487da6b8ce
SHA51260f9e5329169a68d1548200a9bcd05d380bb924ebbaa57797683042f7ce17870e7a9e33dd70330da17c37b86c9ae4161b50cc84a673fce69af563118bfe7a6d0
-
Filesize
201KB
MD5f79f5ce86c81d6b0edb45a4a92c572af
SHA14f8fe0760f075c60831513637935049c697d9725
SHA256d2e9b3a4933bd3772b2789a393eeb3d3afadcfc1a34546da48ebc2ff3fb15317
SHA5120773ecb29c70b17dfc02c439b1a50d9e9426c951e48dfaec88bcd8344a5e757d8074a1db590d52519a313686e8efb60beedc0aa801e9d1364ada8e0567fa9f4d
-
\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Filesize4.0MB
MD548eed6e83346784e2213509f4892c0b7
SHA1d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA5120f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b
-
\Users\Admin\Documents\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54\1226e6bd65f3b4c849f0187975780958a6cad49bb21d2d1e5a3c8897506f37d54.exe
Filesize4.0MB
MD548eed6e83346784e2213509f4892c0b7
SHA1d9016ac27e6b370f75b0a6b25c9978c78be1b792
SHA256d39c949d27f3b8fdea3dc72abbce0a12d9eb9a21f101bc0a0e6f8b24eb2d6f05
SHA5120f3ae00ac453d12777a1034034a14b0ecc106433c7d7a03ad1d18116f2e16966fa0f946488ed08a826eea30c1074726f16dd2c9bad7a642acf2602e348302f6b