74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0

Analysis

max time kernel
88s
max time network
90s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
Size

593KB
MD5

04422dc0e98c0b19aaeccdec3641e4df
SHA1

6485a05af676f894ff389a0770516d634b284d9b
SHA256

74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0
SHA512

ca80d8b5b918953d04b74066110ae3154c4bb9d8bf1c0fefffcaf21762da8a5fd328e609898cbbda6579de79be31f45389fef1b4e4ad7da0af500288550220fd
SSDEEP

12288:VuBSP/amCuBJSpc/aaT9/gur79Yq63kfydqAKTE1qH:sA6uBwy/aI/gK79YH0FAgxH

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	BqjnC0gFVHRul8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	szfuap.exe

Executes dropped EXE 5 IoCs

pid	Process
328	BqjnC0gFVHRul8.exe
1904	win.exe
940	wio.exe
2012	wiq.exe
1648	szfuap.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1788-82-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1788-84-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1788-92-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1788-93-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1788-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1788-103-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1488	cmd.exe

Loads dropped DLL 18 IoCs

pid	Process
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe
328	BqjnC0gFVHRul8.exe
328	BqjnC0gFVHRul8.exe
1552	rundll32.exe
1552	rundll32.exe
1552	rundll32.exe
1552	rundll32.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wvoxalaza = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\msavil32.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /p"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /G"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /Y"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /e"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /E"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /r"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /V"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /s"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /z"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /m"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /W"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /x"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /o"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /C"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /L"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /T"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /q"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /l"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /H"	szfuap.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	BqjnC0gFVHRul8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /t"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /F"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /R"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /X"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /h"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /K"	szfuap.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /w"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /u"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /P"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /a"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /Z"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /v"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /A"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /v"	BqjnC0gFVHRul8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /O"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /b"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /U"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /y"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /k"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /d"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /j"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /c"	szfuap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\szfuap = "C:\\Users\\Admin\\szfuap.exe /g"	szfuap.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	win.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1788	2012	wiq.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1820	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	svchost.exe
328	BqjnC0gFVHRul8.exe
1788	svchost.exe
1788	svchost.exe
328	BqjnC0gFVHRul8.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1648	szfuap.exe
1648	szfuap.exe
1648	szfuap.exe
1788	svchost.exe
1788	svchost.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeShutdownPrivilege	1904	win.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe
Token: SeRestorePrivilege	1552	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
328	BqjnC0gFVHRul8.exe
2012	wiq.exe
1648	szfuap.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 328	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	27
PID 1504 wrote to memory of 328	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	27
PID 1504 wrote to memory of 328	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	27
PID 1504 wrote to memory of 328	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	27
PID 1504 wrote to memory of 1904	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	28
PID 1504 wrote to memory of 1904	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	28
PID 1504 wrote to memory of 1904	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	28
PID 1504 wrote to memory of 1904	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	28
PID 1504 wrote to memory of 940	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	29
PID 1504 wrote to memory of 940	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	29
PID 1504 wrote to memory of 940	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	29
PID 1504 wrote to memory of 940	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	29
PID 1504 wrote to memory of 2012	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	30
PID 1504 wrote to memory of 2012	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	30
PID 1504 wrote to memory of 2012	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	30
PID 1504 wrote to memory of 2012	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	30
PID 1504 wrote to memory of 1488	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	31
PID 1504 wrote to memory of 1488	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	31
PID 1504 wrote to memory of 1488	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	31
PID 1504 wrote to memory of 1488	1504	74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe	31
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 2012 wrote to memory of 1788	2012	wiq.exe	33
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 940 wrote to memory of 1344	940	wio.exe	34
PID 328 wrote to memory of 1648	328	BqjnC0gFVHRul8.exe	35
PID 328 wrote to memory of 1648	328	BqjnC0gFVHRul8.exe	35
PID 328 wrote to memory of 1648	328	BqjnC0gFVHRul8.exe	35
PID 328 wrote to memory of 1648	328	BqjnC0gFVHRul8.exe	35
PID 328 wrote to memory of 1496	328	BqjnC0gFVHRul8.exe	36
PID 328 wrote to memory of 1496	328	BqjnC0gFVHRul8.exe	36
PID 328 wrote to memory of 1496	328	BqjnC0gFVHRul8.exe	36
PID 328 wrote to memory of 1496	328	BqjnC0gFVHRul8.exe	36
PID 1496 wrote to memory of 1820	1496	cmd.exe	38
PID 1496 wrote to memory of 1820	1496	cmd.exe	38
PID 1496 wrote to memory of 1820	1496	cmd.exe	38
PID 1496 wrote to memory of 1820	1496	cmd.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38
PID 1648 wrote to memory of 1820	1648	szfuap.exe	38

C:\Users\Admin\AppData\Local\Temp\74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
"C:\Users\Admin\AppData\Local\Temp\74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\BqjnC0gFVHRul8.exe
  BqjnC0gFVHRul8.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\szfuap.exe
    "C:\Users\Admin\szfuap.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del BqjnC0gFVHRul8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1820
- C:\Users\Admin\win.exe
  win.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Users\Admin\wio.exe
  wio.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\msavil32.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1344
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\msavil32.dll",iep
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:1552
- C:\Users\Admin\wiq.exe
  wiq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del 74c6724160885cfe6aa9a9926b3c91214665d5b39aad9af7daae6baba02649f0.exe
  2⤵
  - Deletes itself
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe

Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe

Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\szfuap.exe

Filesize
148KB

MD5
4f4c12cf69e1583864f7776b286de806

SHA1
a832af3485b01862d46fc0ab79dae1f0f97902c8

SHA256
757d9aa6ab24a94c858edb637de616b953d9c53210364538f9c4dcd223df2a88

SHA512
7851dc6640d8654208309517243ab9763ccb8c8ea28dad9a6025b9977b5b7b02405d4442e461039919e2c7413cf98a620db9fd3d677e6a5dac705893337c7de3

Download Submit
C:\Users\Admin\szfuap.exe

Filesize
148KB

MD5
4f4c12cf69e1583864f7776b286de806

SHA1
a832af3485b01862d46fc0ab79dae1f0f97902c8

SHA256
757d9aa6ab24a94c858edb637de616b953d9c53210364538f9c4dcd223df2a88

SHA512
7851dc6640d8654208309517243ab9763ccb8c8ea28dad9a6025b9977b5b7b02405d4442e461039919e2c7413cf98a620db9fd3d677e6a5dac705893337c7de3

Download Submit
C:\Users\Admin\win.exe

Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\win.exe

Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\wio.exe

Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wio.exe

Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wiq.exe

Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
C:\Users\Admin\wiq.exe

Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\AppData\Local\msavil32.dll

Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
\Users\Admin\BqjnC0gFVHRul8.exe

Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
\Users\Admin\BqjnC0gFVHRul8.exe

Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
\Users\Admin\szfuap.exe

Filesize
148KB

MD5
4f4c12cf69e1583864f7776b286de806

SHA1
a832af3485b01862d46fc0ab79dae1f0f97902c8

SHA256
757d9aa6ab24a94c858edb637de616b953d9c53210364538f9c4dcd223df2a88

SHA512
7851dc6640d8654208309517243ab9763ccb8c8ea28dad9a6025b9977b5b7b02405d4442e461039919e2c7413cf98a620db9fd3d677e6a5dac705893337c7de3

Download Submit
\Users\Admin\szfuap.exe

Filesize
148KB

MD5
4f4c12cf69e1583864f7776b286de806

SHA1
a832af3485b01862d46fc0ab79dae1f0f97902c8

SHA256
757d9aa6ab24a94c858edb637de616b953d9c53210364538f9c4dcd223df2a88

SHA512
7851dc6640d8654208309517243ab9763ccb8c8ea28dad9a6025b9977b5b7b02405d4442e461039919e2c7413cf98a620db9fd3d677e6a5dac705893337c7de3

Download Submit
\Users\Admin\win.exe

Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
\Users\Admin\win.exe

Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
\Users\Admin\wio.exe

Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
\Users\Admin\wio.exe

Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
\Users\Admin\wiq.exe

Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
\Users\Admin\wiq.exe

Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
memory/328-56-0x0000000000000000-mapping.dmp

Download
memory/940-91-0x0000000001DE1000-0x0000000001DEE000-memory.dmp

Filesize
52KB

Download
memory/940-65-0x0000000000000000-mapping.dmp

Download
memory/940-73-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1344-105-0x00000000022B1000-0x00000000022BE000-memory.dmp

Filesize
52KB

Download
memory/1344-94-0x0000000000000000-mapping.dmp

Download
memory/1344-101-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/1488-79-0x0000000000000000-mapping.dmp

Download
memory/1496-114-0x0000000000000000-mapping.dmp

Download
memory/1552-124-0x00000000022A1000-0x00000000022AE000-memory.dmp

Filesize
52KB

Download
memory/1552-117-0x0000000000000000-mapping.dmp

Download
memory/1648-108-0x0000000000000000-mapping.dmp

Download
memory/1788-92-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-103-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-84-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-88-0x000000000040C400-mapping.dmp

Download
memory/1788-93-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1788-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1820-115-0x0000000000000000-mapping.dmp

Download
memory/1904-80-0x00000000002D0000-0x0000000000326000-memory.dmp

Filesize
344KB

Download
memory/1904-104-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1904-66-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1904-87-0x00000000002D0000-0x0000000000326000-memory.dmp

Filesize
344KB

Download
memory/1904-86-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1904-60-0x0000000000000000-mapping.dmp

Download
memory/2012-70-0x0000000000000000-mapping.dmp

Download