7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Size

906KB
MD5

279e4d49ee709d3e740cbf1a11a53210
SHA1

5243a029f96c61d496f70d0977941858b7cf7842
SHA256

7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322
SHA512

11358f1fdd14a8bd303464ce7d6af286f036d44ccd965dd9a6928efcc6b01a43e4645b26f3a61d3aadce4ed64d56b8916d179a777625aa7d37868f3daddec6cc
SSDEEP

24576:ZePmbZpwZloMwvCvdoDzMPLIrv0+M6t4fXdV+7:7bZDMwqCHMPLIzftgD6

Score

9^/10

aspackv2 persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000001daf9-144.dat	acprotect
behavioral2/files/0x000300000001e5ac-145.dat	acprotect

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e06-132.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e06-133.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e09-135.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e09-134.dat	aspack_v212_v242

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lh12FCujirx\ImagePath = "\\??\\C:\\Windows\\lh12FCujirxO3\\CDClient64.sys"	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\YXs87BtXqxB\ImagePath = "\\??\\C:\\Windows\\CDClient64.sys"	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Loads dropped DLL 6 IoCs

pid	Process
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CC19F.dat	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
File created	C:\Windows\SysWOW64\060449.bat	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
File created	C:\Windows\SysWOW64\060456.bat	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
File created	C:\Windows\SysWOW64\JvwDqmA.dll	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
File created	C:\Windows\SysWOW64\BEClsl.dll	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lh12FCujirxO3\CDClient64.sys	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
File created	C:\Windows\CDClient64.sys	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: 33	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: SeIncBasePriorityPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: SeLoadDriverPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: SeLoadDriverPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: 33	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: SeIncBasePriorityPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: 33	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
Token: SeIncBasePriorityPrivilege	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 5088	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	81
PID 4996 wrote to memory of 5088	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	81
PID 4996 wrote to memory of 5088	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	81
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 5088 wrote to memory of 4760	5088	cmd.exe	83
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 5088 wrote to memory of 4760	5088	cmd.exe	83
PID 5088 wrote to memory of 4760	5088	cmd.exe	83
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 5088 wrote to memory of 4728	5088	cmd.exe	84
PID 5088 wrote to memory of 4728	5088	cmd.exe	84
PID 5088 wrote to memory of 4728	5088	cmd.exe	84
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42
PID 4996 wrote to memory of 2424	4996	7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe
  "C:\Users\Admin\AppData\Local\Temp\7b5c2a5b9f4d9669613d2d640021feefba35fbbc43b0c9e955da54f545e4d322.exe"
  2⤵
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Windows\SysWOW64\060449.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C C:\Windows\SysWOW64\060456.bat
    3⤵
    PID:236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
      4⤵
      PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nGFwsyA\IACrprK.dll

Filesize
773KB

MD5
0e498f536fcbc7a3add7ae32e6a2bc6e

SHA1
aa648d515617bde237b59ff593da1180c870efb3

SHA256
0de3d25cfad28e2dcb7f1307f71b96db79a8fe1538d0138c459bddc31ab47aab

SHA512
ea7abade1caca6ac8bda273590d39b1989912c3e609453a1997e0c5b6aac8e369964697982f32a8bb1b7b0e8856818df6fd08aa31b6752533d557ce204e6e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGFwsyA\IACrprK.dll

Filesize
773KB

MD5
0e498f536fcbc7a3add7ae32e6a2bc6e

SHA1
aa648d515617bde237b59ff593da1180c870efb3

SHA256
0de3d25cfad28e2dcb7f1307f71b96db79a8fe1538d0138c459bddc31ab47aab

SHA512
ea7abade1caca6ac8bda273590d39b1989912c3e609453a1997e0c5b6aac8e369964697982f32a8bb1b7b0e8856818df6fd08aa31b6752533d557ce204e6e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGFwsyA\rtCoGHF.dll

Filesize
722KB

MD5
66e759f5a8fc8309172b6cd4607abf59

SHA1
24ea256f05e5fbd037c5f0bb2eaeb53bb3819c84

SHA256
40eea7eef6204133069ca3d20ce80d88ed7b1a29e205566d38aa18da01de9211

SHA512
872b0e153aab1831aa35c91390d1c8b9d06d1f9376c84fa3f22de8e4f7f334062e23e7dcd04d9af97d0e78fdcf4efdfbc6ea85db4c50093b1296d849c5a10093

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGFwsyA\rtCoGHF.dll

Filesize
722KB

MD5
66e759f5a8fc8309172b6cd4607abf59

SHA1
24ea256f05e5fbd037c5f0bb2eaeb53bb3819c84

SHA256
40eea7eef6204133069ca3d20ce80d88ed7b1a29e205566d38aa18da01de9211

SHA512
872b0e153aab1831aa35c91390d1c8b9d06d1f9376c84fa3f22de8e4f7f334062e23e7dcd04d9af97d0e78fdcf4efdfbc6ea85db4c50093b1296d849c5a10093

Download Submit
C:\Windows\SysWOW64\060449.bat

Filesize
5KB

MD5
ebeff7b70bc4dcc47b4424ee6472e123

SHA1
de26d8e8042b27b4e43c721a52eb61f30b7abf35

SHA256
fd2242eef0d6adc82b68e9b57e52ebccdc5fe636ab7f9d345ddfcca72f1cf82d

SHA512
49fac33297d33d0c3f7f67546a50a2c0b7bfd2f36ed6658097aba9eeac4231ceb0de3c5e41c54ec703bbe47a081925d8df41e74aae6626a2bf253fe8fa4e5230

Download Submit
C:\Windows\SysWOW64\060456.bat

Filesize
5KB

MD5
ebeff7b70bc4dcc47b4424ee6472e123

SHA1
de26d8e8042b27b4e43c721a52eb61f30b7abf35

SHA256
fd2242eef0d6adc82b68e9b57e52ebccdc5fe636ab7f9d345ddfcca72f1cf82d

SHA512
49fac33297d33d0c3f7f67546a50a2c0b7bfd2f36ed6658097aba9eeac4231ceb0de3c5e41c54ec703bbe47a081925d8df41e74aae6626a2bf253fe8fa4e5230

Download Submit
C:\Windows\SysWOW64\BEClsl.dll

Filesize
68KB

MD5
39bf6058fea574fe9cf529cb2823f787

SHA1
9103b0c11bdeef0e8a2f26b0d10043483ac9f7d8

SHA256
3bef0084ac397ea27cd7f5cc0b4ea8119cd8f94f607e2a814db51918bc1e1fbe

SHA512
4aa3a5c16dfc78378945dc03e29a5db161dd75493d757d5fa285fb6bea8bf824a50cf27d57eaed4d3dbc07e9f272d51a3c2a5efa6d924237d90f7f0fbc8364e4

Download Submit
C:\Windows\SysWOW64\JvwDqmA.dll

Filesize
68KB

MD5
cd57d686eaaea8891dd0e55fb0bc510d

SHA1
634c819d7751630bad82a7d1ac98b9cd15f3c00c

SHA256
2d84b48728765d01a1392af0046644789f6db00997c95182a11536329e65f1bc

SHA512
58aa9d03a748eb7f0b38b8cdc70b430aa3983f86c2d6479eec161f8277ba8a8467afbe0876dc7fb0534bb0574aa40ca3da4f200ee871177e623996ef6f04ae27

Download Submit
memory/4996-146-0x0000000071DC0000-0x0000000071DE7000-memory.dmp

Filesize
156KB

Download
memory/4996-147-0x0000000071D90000-0x0000000071DB7000-memory.dmp

Filesize
156KB

Download
memory/4996-148-0x0000000071DC0000-0x0000000071DE7000-memory.dmp

Filesize
156KB

Download