Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 06:20
Behavioral task
behavioral1
Sample
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
Resource
win10v2004-20220812-en
General
-
Target
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
-
Size
667KB
-
MD5
2ec9e817685bf6c535a09df1896507ce
-
SHA1
175503b55e41200505e5dd436288042bd9d76943
-
SHA256
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
-
SHA512
39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
SSDEEP
12288:yjkArEN249AyE/rbaMct4bO2/V30ZktGtYm9pRLYS0DzhT:lFE//Tct4bOs6W/i50D
Malware Config
Extracted
cybergate
2.6
vida nova tres
lesamedi.no-ip.info:82
kccvvcvv
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
syss
-
install_file
winn32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Executes dropped EXE 2 IoCs
pid Process 1424 winn32.exe 2016 winn32.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\DontAsk = "2" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe Restart" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2} e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -restart" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\IsInstalled = "1" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
resource yara_rule behavioral1/memory/2028-57-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2028-61-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2028-62-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2012-63-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/2028-65-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2028-67-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/2028-76-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1684-81-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/files/0x000b0000000122da-83.dat upx behavioral1/memory/1684-84-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/2028-86-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/2028-92-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/2028-98-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1976-97-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/memory/1976-99-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/1976-100-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral1/files/0x000b0000000122da-101.dat upx behavioral1/files/0x000b0000000122da-103.dat upx behavioral1/files/0x000b0000000122da-109.dat upx behavioral1/memory/1424-111-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/2016-113-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2016-114-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/1976-115-0x0000000009B20000-0x0000000009BEB000-memory.dmp upx behavioral1/memory/2016-116-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2016-117-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2012-118-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral1/memory/1976-119-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 1976 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\r: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\w: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\a: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\b: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\i: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\m: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\n: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\s: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\u: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\z: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\h: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\j: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\k: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\l: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\t: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\v: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\x: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\f: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\g: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\o: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\p: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\e: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\y: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2012-63-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe behavioral1/memory/1424-111-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe behavioral1/memory/1976-115-0x0000000009B20000-0x0000000009BEB000-memory.dmp autoit_exe behavioral1/memory/2012-118-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\syss\winn32.exe e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened for modification C:\Windows\SysWOW64\syss\winn32.exe e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2012 set thread context of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 1424 set thread context of 2016 1424 winn32.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1976 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1976 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Token: SeDebugPrivilege 1976 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2012 wrote to memory of 2028 2012 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 27 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12 PID 2028 wrote to memory of 1348 2028 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 12
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:1684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\syss\winn32.exe"C:\Windows\system32\syss\winn32.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1424 -
C:\Windows\SysWOW64\syss\winn32.exe"C:\Windows\SysWOW64\syss\winn32.exe"6⤵
- Executes dropped EXE
PID:2016
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD503f04535015c085446cd0828bcc401c9
SHA1b2364366921e9a1d0f3e2ead3cd0f4e84374ae9b
SHA256dc4224d120265dea2c0ec13272e2f6859a843521b9e1d4809578ac97cbf878a7
SHA5127b982d50af8a3485b16fcb61d792c61b83cb46edb6748cfedaa0d6cf1dfa55044909441de4933b4a65a88b0655d908a9f2a43421d464801caa3c3e6af959672a
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc