5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970

Analysis

max time kernel
15s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
Size

234KB
MD5

105194fca06e3722d7e5cc53645c0630
SHA1

75a3a21cfbc22e1b76d6500abce4e2b65cf714d2
SHA256

5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970
SHA512

c722c8f73a9a6d0f7692283f7e2643cc681333437c3ae3ef352e9634c34b0e1dfd680777d317d340d5139d3e774aef9bf0f160c1425305edfcb8af9f60ad36b4
SSDEEP

6144:2xV8dI3bxRETtXaz/OJepymej5viyT5O/q9DUGEyoSq:2n8dI3b7ETtKKepymejF5aeDUGNoSq

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
916	SkipeTurns.exe
1780	SkipeTurns.exe
1536	SkipeTurns.exe
1148	SkipeTurns.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/544-56-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1964-58-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1964-60-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1964-61-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1872-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1964-67-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1872-70-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1872-68-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1964-69-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1872-74-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1872-76-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/544-75-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1872-80-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1964-81-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-86.dat	upx
behavioral1/files/0x0007000000005c50-85.dat	upx
behavioral1/files/0x0007000000005c50-89.dat	upx
behavioral1/files/0x0007000000005c50-88.dat	upx
behavioral1/files/0x0007000000005c50-87.dat	upx
behavioral1/files/0x0007000000005c50-92.dat	upx
behavioral1/memory/916-95-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-96.dat	upx
behavioral1/files/0x0007000000005c50-103.dat	upx
behavioral1/files/0x0007000000005c50-116.dat	upx
behavioral1/memory/1148-120-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1148-124-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1148-125-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-128.dat	upx
behavioral1/memory/1780-130-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1148-131-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1780-133-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1536-134-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/916-135-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1148-136-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1872-137-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1148-141-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1964-155-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1536-156-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1148-157-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 set thread context of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 916 set thread context of 1780	916	SkipeTurns.exe	31
PID 916 set thread context of 1536	916	SkipeTurns.exe	32
PID 916 set thread context of 1148	916	SkipeTurns.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1308	ipconfig.exe
1296	ipconfig.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1056	reg.exe
836	reg.exe
1712	reg.exe
1416	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	SkipeTurns.exe
Token: 1	1148	SkipeTurns.exe
Token: SeCreateTokenPrivilege	1148	SkipeTurns.exe
Token: SeAssignPrimaryTokenPrivilege	1148	SkipeTurns.exe
Token: SeLockMemoryPrivilege	1148	SkipeTurns.exe
Token: SeIncreaseQuotaPrivilege	1148	SkipeTurns.exe
Token: SeMachineAccountPrivilege	1148	SkipeTurns.exe
Token: SeTcbPrivilege	1148	SkipeTurns.exe
Token: SeSecurityPrivilege	1148	SkipeTurns.exe
Token: SeTakeOwnershipPrivilege	1148	SkipeTurns.exe
Token: SeLoadDriverPrivilege	1148	SkipeTurns.exe
Token: SeSystemProfilePrivilege	1148	SkipeTurns.exe
Token: SeSystemtimePrivilege	1148	SkipeTurns.exe
Token: SeProfSingleProcessPrivilege	1148	SkipeTurns.exe
Token: SeIncBasePriorityPrivilege	1148	SkipeTurns.exe
Token: SeCreatePagefilePrivilege	1148	SkipeTurns.exe
Token: SeCreatePermanentPrivilege	1148	SkipeTurns.exe
Token: SeBackupPrivilege	1148	SkipeTurns.exe
Token: SeRestorePrivilege	1148	SkipeTurns.exe
Token: SeShutdownPrivilege	1148	SkipeTurns.exe
Token: SeDebugPrivilege	1148	SkipeTurns.exe
Token: SeAuditPrivilege	1148	SkipeTurns.exe
Token: SeSystemEnvironmentPrivilege	1148	SkipeTurns.exe
Token: SeChangeNotifyPrivilege	1148	SkipeTurns.exe
Token: SeRemoteShutdownPrivilege	1148	SkipeTurns.exe
Token: SeUndockPrivilege	1148	SkipeTurns.exe
Token: SeSyncAgentPrivilege	1148	SkipeTurns.exe
Token: SeEnableDelegationPrivilege	1148	SkipeTurns.exe
Token: SeManageVolumePrivilege	1148	SkipeTurns.exe
Token: SeImpersonatePrivilege	1148	SkipeTurns.exe
Token: SeCreateGlobalPrivilege	1148	SkipeTurns.exe
Token: 31	1148	SkipeTurns.exe
Token: 32	1148	SkipeTurns.exe
Token: 33	1148	SkipeTurns.exe
Token: 34	1148	SkipeTurns.exe
Token: 35	1148	SkipeTurns.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
916	SkipeTurns.exe
1780	SkipeTurns.exe
1536	SkipeTurns.exe
1148	SkipeTurns.exe
1148	SkipeTurns.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1964	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	26
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 544 wrote to memory of 1872	544	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	27
PID 1964 wrote to memory of 1308	1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	28
PID 1964 wrote to memory of 1308	1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	28
PID 1964 wrote to memory of 1308	1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	28
PID 1964 wrote to memory of 1308	1964	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	28
PID 1872 wrote to memory of 916	1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	30
PID 1872 wrote to memory of 916	1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	30
PID 1872 wrote to memory of 916	1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	30
PID 1872 wrote to memory of 916	1872	5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe	30
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1780	916	SkipeTurns.exe	31
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 916 wrote to memory of 1536	916	SkipeTurns.exe	32
PID 1780 wrote to memory of 1296	1780	SkipeTurns.exe	33
PID 1780 wrote to memory of 1296	1780	SkipeTurns.exe	33
PID 1780 wrote to memory of 1296	1780	SkipeTurns.exe	33
PID 1780 wrote to memory of 1296	1780	SkipeTurns.exe	33
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 916 wrote to memory of 1148	916	SkipeTurns.exe	35
PID 1148 wrote to memory of 1116	1148	SkipeTurns.exe	36
PID 1148 wrote to memory of 1116	1148	SkipeTurns.exe	36
PID 1148 wrote to memory of 1116	1148	SkipeTurns.exe	36
PID 1148 wrote to memory of 1116	1148	SkipeTurns.exe	36
PID 1148 wrote to memory of 536	1148	SkipeTurns.exe	37
PID 1148 wrote to memory of 536	1148	SkipeTurns.exe	37
PID 1148 wrote to memory of 536	1148	SkipeTurns.exe	37
PID 1148 wrote to memory of 536	1148	SkipeTurns.exe	37
PID 1148 wrote to memory of 1404	1148	SkipeTurns.exe	39
PID 1148 wrote to memory of 1404	1148	SkipeTurns.exe	39
PID 1148 wrote to memory of 1404	1148	SkipeTurns.exe	39
PID 1148 wrote to memory of 1404	1148	SkipeTurns.exe	39

C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
"C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
  "C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1308
- C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe
  "C:\Users\Admin\AppData\Local\Temp\5c8643d7a04e26b0f694b4f28bf9f524526d18aa8e3c79000cb4c62d99208970.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
    "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1296
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XHSXT.bat" "
        5⤵
        
        PID:1568
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SkipeTurns" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /f
        6⤵
        
        PID:1472
  - - C:\Users\Admin\AppData\Roaming\SkipeTurns.exe
      "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1116
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SkipeTurns.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies registry key
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:1584
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DarkEye2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DarkEye2.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies registry key
        
        PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XHSXT.bat

Filesize
142B

MD5
7aab82a958be0bdc325ec075c874ca64

SHA1
f4ab3d6776f6ffc569a878a003df9a4f0a331eb6

SHA256
446e766a1c4c57cf38c3b70b1152a5c1216cc86388fefe5d7d39522458436144

SHA512
1737e41a539341737e4fc5c22f13c10b34e5054b2e1b44e604490c4faaf943442c596581fb28b0c967935cfd92c5fd4e7331fb72ae2d4f6ef1b8acc64b46f240

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
C:\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
\Users\Admin\AppData\Roaming\SkipeTurns.exe

Filesize
234KB

MD5
de2ef6fe79db1018614a1754e3ede1b8

SHA1
c80f025ac5f0e39e05075624b6b2f98578b27c14

SHA256
6936821dd101621df448c44b33ef9416560030d37b29d51d308e276ec5c9d749

SHA512
370a111f6b012cd58ce0526f5fd76934cc0d8d4f68439b66ff84892689f4207082cc02641bf6539eae10d775c5448f1f16d87ddb7ba97b9b37ef25b9610d30e0

Download Submit
memory/544-75-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/544-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/916-95-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/916-135-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1148-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-125-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-124-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-118-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1308-83-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1536-134-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1536-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1780-130-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1780-133-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1872-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-90-0x0000000002BB0000-0x0000000002C8F000-memory.dmp

Filesize
892KB

Download
memory/1872-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1872-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1964-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-155-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1964-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download