Analysis
-
max time kernel
176s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 06:20
Behavioral task
behavioral1
Sample
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
Resource
win10v2004-20220812-en
General
-
Target
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe
-
Size
667KB
-
MD5
2ec9e817685bf6c535a09df1896507ce
-
SHA1
175503b55e41200505e5dd436288042bd9d76943
-
SHA256
e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
-
SHA512
39cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
SSDEEP
12288:yjkArEN249AyE/rbaMct4bO2/V30ZktGtYm9pRLYS0DzhT:lFE//Tct4bOs6W/i50D
Malware Config
Extracted
cybergate
2.6
vida nova tres
lesamedi.no-ip.info:82
kccvvcvv
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
syss
-
install_file
winn32.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Executes dropped EXE 2 IoCs
pid Process 1488 winn32.exe 2732 winn32.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\DontAsk = "2" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe Restart" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\syss\\winn32.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2} e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -restart" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-f1f2f1f2f1f2}\IsInstalled = "1" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
resource yara_rule behavioral2/memory/4476-136-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4476-138-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1572-140-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/4476-139-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4476-141-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4476-143-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/4476-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4648-151-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/files/0x000300000000071f-153.dat upx behavioral2/memory/4648-154-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/4476-156-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/4476-161-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/1220-164-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/memory/4476-165-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1220-166-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/1220-167-0x0000000024160000-0x00000000241C2000-memory.dmp upx behavioral2/files/0x000300000000071f-169.dat upx behavioral2/files/0x000300000000071f-172.dat upx behavioral2/memory/1488-174-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/2732-175-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2732-176-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/2732-177-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/1572-178-0x0000000000400000-0x00000000004CB000-memory.dmp upx behavioral2/memory/1220-179-0x0000000024160000-0x00000000241C2000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\syss\\winn32.exe" e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\r: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\t: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\l: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\i: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\j: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\q: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\v: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\w: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\x: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\z: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\g: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\h: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\k: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\o: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\p: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\b: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\e: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\f: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\n: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\s: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\u: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\y: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened (read-only) \??\a: e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1572-140-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe behavioral2/memory/1488-174-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe behavioral2/memory/1572-178-0x0000000000400000-0x00000000004CB000-memory.dmp autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\syss\winn32.exe e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe File opened for modification C:\Windows\SysWOW64\syss\winn32.exe e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1572 set thread context of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 1488 set thread context of 2732 1488 winn32.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1544 2732 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1220 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe Token: SeDebugPrivilege 1220 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1572 wrote to memory of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 1572 wrote to memory of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 1572 wrote to memory of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 1572 wrote to memory of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 1572 wrote to memory of 4476 1572 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 79 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40 PID 4476 wrote to memory of 2596 4476 e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:4648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"C:\Users\Admin\AppData\Local\Temp\e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca.exe"4⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Windows\SysWOW64\syss\winn32.exe"C:\Windows\system32\syss\winn32.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1488 -
C:\Windows\SysWOW64\syss\winn32.exe"C:\Windows\SysWOW64\syss\winn32.exe"6⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 5767⤵
- Program crash
PID:1544
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2732 -ip 27321⤵PID:3808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD503f04535015c085446cd0828bcc401c9
SHA1b2364366921e9a1d0f3e2ead3cd0f4e84374ae9b
SHA256dc4224d120265dea2c0ec13272e2f6859a843521b9e1d4809578ac97cbf878a7
SHA5127b982d50af8a3485b16fcb61d792c61b83cb46edb6748cfedaa0d6cf1dfa55044909441de4933b4a65a88b0655d908a9f2a43421d464801caa3c3e6af959672a
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc
-
Filesize
667KB
MD52ec9e817685bf6c535a09df1896507ce
SHA1175503b55e41200505e5dd436288042bd9d76943
SHA256e4d2a9d6f1336f7b9ed6787124e15dda0a5e37c1361d0f75a1308bf99208fbca
SHA51239cd98fad637091a84b76bd210b1c244a8a7dff2089f53a13b3f400eeaf76c3f533561c7fb03a5db392c67c5862936edb32ee11b59d75dfa00abbbc32337d8bc