Analysis
-
max time kernel
152s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Resource
win7-20220812-en
General
-
Target
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
-
Size
387KB
-
MD5
2184e73b4a2ecee7a726b2d7f8374946
-
SHA1
8dd0ef00c55f8470ae513b66773a6369539a8dc9
-
SHA256
0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
-
SHA512
15c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
SSDEEP
6144:27D6KarVGMXvnF/Cq/HgZ4OYSUO8mJuWV918BMgVvraUdctrs+s3jwwV:sDGR3dCyHtOZ/JuWV9uBMg10ewwV
Malware Config
Extracted
cybergate
2.6
ÖÍíÉ
127.0.0.1:8081
tunisia-sat.no-ip.biz:8081
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
bin
-
install_file
windows.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
t?tulo da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Executes dropped EXE 4 IoCs
pid Process 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1356 windows.exe 1692 windows.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe Restart" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{GF4X7745-WQW6-GR05-83C3-J2A4J26U82BY}\StubPath = "c:\\windows\\system32\\microsoft\\bin\\windows.exe" explorer.exe -
resource yara_rule behavioral1/memory/1996-60-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-61-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-58-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-68-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-69-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-71-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1996-73-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/memory/1996-82-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/584-87-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/584-90-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral1/memory/1996-92-0x0000000000460000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1996-100-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1996-106-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1192-105-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/1192-152-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral1/memory/584-151-0x00000000318E0000-0x00000000318ED000-memory.dmp upx behavioral1/memory/1692-175-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1692-176-0x00000000318F0000-0x00000000318FD000-memory.dmp upx behavioral1/memory/1692-177-0x0000000000400000-0x0000000000459000-memory.dmp upx behavioral1/memory/1692-178-0x00000000318F0000-0x00000000318FD000-memory.dmp upx behavioral1/memory/584-179-0x00000000318E0000-0x00000000318ED000-memory.dmp upx behavioral1/memory/1192-180-0x00000000240F0000-0x0000000024152000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FacebookUpdater.com = "C:\\Windows\\system32\\bin\\help.exe" windows.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bin 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File created C:\Windows\SysWOW64\bin\help.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification C:\Windows\SysWOW64\bin\help.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\ 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File created \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification \??\c:\windows\SysWOW64\microsoft\bin\windows.exe 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe File opened for modification C:\windows\SysWOW64\microsoft\bin\windows.exe windows.exe File opened for modification C:\Windows\SysWOW64\bin\help.exe windows.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 780 set thread context of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 1356 set thread context of 1692 1356 windows.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe Token: SeDebugPrivilege 1192 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 780 wrote to memory of 1920 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 27 PID 780 wrote to memory of 1920 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 27 PID 780 wrote to memory of 1920 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 27 PID 780 wrote to memory of 1920 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 27 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 780 wrote to memory of 1996 780 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 28 PID 1920 wrote to memory of 1904 1920 cmd.exe 30 PID 1920 wrote to memory of 1904 1920 cmd.exe 30 PID 1920 wrote to memory of 1904 1920 cmd.exe 30 PID 1920 wrote to memory of 1904 1920 cmd.exe 30 PID 1904 wrote to memory of 1936 1904 net.exe 31 PID 1904 wrote to memory of 1936 1904 net.exe 31 PID 1904 wrote to memory of 1936 1904 net.exe 31 PID 1904 wrote to memory of 1936 1904 net.exe 31 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16 PID 1996 wrote to memory of 1420 1996 0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe 16
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:872
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:1088
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1260
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1676
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1512
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1032
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:844
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:796
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:732
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:576
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:376
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:484
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc4⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc5⤵PID:1936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exeC:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\windows\SysWOW64\microsoft\bin\windows.exe"C:\windows\system32\microsoft\bin\windows.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1356 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵PID:1704
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵PID:1784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵PID:380
-
-
-
-
C:\windows\SysWOW64\microsoft\bin\windows.exeC:\windows\SysWOW64\microsoft\bin\windows.exe6⤵
- Executes dropped EXE
PID:1692
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
C:\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
240KB
MD5b2c82cbdb8f096f842da7521b7944713
SHA1bc6d73b2a3ab5e88e601dcee7a2dc80fa05ced54
SHA256ea6023ee5139e5fcc3682d7a562ae7cbbe58c045f20ec5727fa61a2c4c25f33b
SHA51227589fd68218bf7b5b2eb27d17e9145a79f027665c71ef503d9a6cd0914a8ae75801618fd20101ef01c1ebbb24c2255ef1b6bec9b73f006255da84bc6fe9533a
-
Filesize
387KB
MD56003bcec2ceef7a6cca4a4e309cbf862
SHA1025eb656406fd10f06346a2171a9468be11b0de4
SHA2562dd53141e4b18919642002a48681fc3906b16a24637b7737aef24392a2bf0a0f
SHA51232fd0ecc406723f8a0a1523bd846b7062e58d3c209c0c6c28b76b644e7f450e05970c4e9928c5f5ebc5cf210238268f1ed3365460e91e7f3cb0382d2336f057f
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
\Users\Admin\AppData\Local\Temp\0344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc.exe
Filesize387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6
-
Filesize
387KB
MD52184e73b4a2ecee7a726b2d7f8374946
SHA18dd0ef00c55f8470ae513b66773a6369539a8dc9
SHA2560344fb9d8c337685e1edfb2f24a35d649bd52dfd31e65212823da0b1f351bbbc
SHA51215c5dce97fa43344e7d4f53c992d23fa13d107fec0fa3eca5cbdc12902981157d12df5d74ce226afabe787a53565437c728b9c3b18b2f3d828b27d8a1ba0b0b6