bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe
Size

456KB
MD5

0f8ab5e4b161d6c65ce943ada3eccc7c
SHA1

de687a1008332e80b83b84400fbf71127276b91c
SHA256

bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323
SHA512

108e32f33f8fcf6853485026a10270d149549beb371b6271ba635a418ad37a9833f3a0685214e5b2cb9b68d598029258d83e7156bbae6fdd0c4428d19ac0ea0c
SSDEEP

12288:w4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:w4ik34n15iN/5lq41Tzuq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	u8kSVi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sauciq.exe

Executes dropped EXE 6 IoCs

pid	Process
1792	u8kSVi.exe
4944	alay.exe
4992	sauciq.exe
4984	alay.exe
3296	dlay.exe
4304	flay.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-148-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4984-155-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4984-156-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4984-163-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	u8kSVi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /L"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /a"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /y"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /B"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /M"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /R"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /K"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /f"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /i"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /Z"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /N"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /e"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /k"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /s"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /l"	sauciq.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	u8kSVi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /G"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /o"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /H"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /I"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /t"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /n"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /x"	u8kSVi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /v"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /p"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /W"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /Y"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /w"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /E"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /A"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /O"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /h"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /U"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /F"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /D"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /T"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /m"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /V"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /d"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /P"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /g"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /q"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /X"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /C"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /b"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /x"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /c"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /z"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /J"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /Q"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /j"	sauciq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sauciq = "C:\\Users\\Admin\\sauciq.exe /u"	sauciq.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 4984	4944	alay.exe	82
PID 4304 set thread context of 2240	4304	flay.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4004	tasklist.exe
2060	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	u8kSVi.exe
1792	u8kSVi.exe
1792	u8kSVi.exe
1792	u8kSVi.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4984	alay.exe
4992	sauciq.exe
4992	sauciq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	tasklist.exe
Token: SeDebugPrivilege	4304	flay.exe
Token: SeDebugPrivilege	4004	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe
1792	u8kSVi.exe
4944	alay.exe
4992	sauciq.exe
3296	dlay.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1792	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	80
PID 2180 wrote to memory of 1792	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	80
PID 2180 wrote to memory of 1792	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	80
PID 2180 wrote to memory of 4944	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	81
PID 2180 wrote to memory of 4944	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	81
PID 2180 wrote to memory of 4944	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	81
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 1792 wrote to memory of 4992	1792	u8kSVi.exe	83
PID 1792 wrote to memory of 4992	1792	u8kSVi.exe	83
PID 1792 wrote to memory of 4992	1792	u8kSVi.exe	83
PID 4944 wrote to memory of 4984	4944	alay.exe	82
PID 1792 wrote to memory of 2460	1792	u8kSVi.exe	84
PID 1792 wrote to memory of 2460	1792	u8kSVi.exe	84
PID 1792 wrote to memory of 2460	1792	u8kSVi.exe	84
PID 2460 wrote to memory of 2060	2460	cmd.exe	86
PID 2460 wrote to memory of 2060	2460	cmd.exe	86
PID 2460 wrote to memory of 2060	2460	cmd.exe	86
PID 2180 wrote to memory of 3296	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	87
PID 2180 wrote to memory of 3296	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	87
PID 2180 wrote to memory of 3296	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	87
PID 2180 wrote to memory of 4304	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	95
PID 2180 wrote to memory of 4304	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	95
PID 2180 wrote to memory of 4304	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	95
PID 4304 wrote to memory of 2240	4304	flay.exe	96
PID 4304 wrote to memory of 2240	4304	flay.exe	96
PID 4304 wrote to memory of 2240	4304	flay.exe	96
PID 4304 wrote to memory of 2240	4304	flay.exe	96
PID 2180 wrote to memory of 1016	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	98
PID 2180 wrote to memory of 1016	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	98
PID 2180 wrote to memory of 1016	2180	bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe	98
PID 1016 wrote to memory of 4004	1016	cmd.exe	100
PID 1016 wrote to memory of 4004	1016	cmd.exe	100
PID 1016 wrote to memory of 4004	1016	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe
"C:\Users\Admin\AppData\Local\Temp\bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\u8kSVi.exe
  C:\Users\Admin\u8kSVi.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\sauciq.exe
    "C:\Users\Admin\sauciq.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2060
- C:\Users\Admin\alay.exe
  C:\Users\Admin\alay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\alay.exe
    "C:\Users\Admin\alay.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4984
- C:\Users\Admin\dlay.exe
  C:\Users\Admin\dlay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3296
- C:\Users\Admin\flay.exe
  C:\Users\Admin\flay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del bf609de1c1753cad204a52d81a9a9e8197cf8d241d46df12342877ae73e4c323.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\alay.exe

Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\alay.exe

Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\alay.exe

Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\dlay.exe

Filesize
36KB

MD5
ca22de79e6c6c38eb6dfef7fe1660b05

SHA1
859243fbafb70d5631e96cf88fc3a4c917cecfca

SHA256
8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

SHA512
b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

Download Submit
C:\Users\Admin\dlay.exe

Filesize
36KB

MD5
ca22de79e6c6c38eb6dfef7fe1660b05

SHA1
859243fbafb70d5631e96cf88fc3a4c917cecfca

SHA256
8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

SHA512
b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

Download Submit
C:\Users\Admin\flay.exe

Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
C:\Users\Admin\flay.exe

Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
C:\Users\Admin\sauciq.exe

Filesize
248KB

MD5
766018dc0694c5cbbfe21316783e9bb6

SHA1
d473da7b290f6153aaa4f209b5f894890f72c299

SHA256
9a106a0d55f8affd500814cb7de696549f4ff177ff4480fd6243513c54f05c63

SHA512
e2e6b124c38122c973619d850d101398add0df9e228c3e80c89bd795db5d0369b3c3c6be68feb79c9e3ffb06b5ad0a9f3c08f43e1cd9e083a3e882bc250c7864

Download Submit
C:\Users\Admin\sauciq.exe

Filesize
248KB

MD5
766018dc0694c5cbbfe21316783e9bb6

SHA1
d473da7b290f6153aaa4f209b5f894890f72c299

SHA256
9a106a0d55f8affd500814cb7de696549f4ff177ff4480fd6243513c54f05c63

SHA512
e2e6b124c38122c973619d850d101398add0df9e228c3e80c89bd795db5d0369b3c3c6be68feb79c9e3ffb06b5ad0a9f3c08f43e1cd9e083a3e882bc250c7864

Download Submit
C:\Users\Admin\u8kSVi.exe

Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
C:\Users\Admin\u8kSVi.exe

Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
memory/4304-167-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4304-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4304-173-0x0000000002850000-0x00000000028B6000-memory.dmp

Filesize
408KB

Download
memory/4304-170-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4304-169-0x0000000002850000-0x00000000028B6000-memory.dmp

Filesize
408KB

Download
memory/4304-168-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4984-156-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4984-163-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4984-148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4984-155-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download