Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2022 20:27
Static task
static1
Behavioral task
behavioral1
Sample
4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe
Resource
win7-20220812-en
General
-
Target
4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe
-
Size
14.0MB
-
MD5
49c40f0da1820f135afa3de1cb7264d2
-
SHA1
64d415cbd339c40de86ab50b5ef2f416fa9b7584
-
SHA256
4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba
-
SHA512
59f263420c3b3a444c241c78ddc1dd48958159654584f5c20c098f4d64761cd0dab3aee822a4e57bb6d9dda01b30218574d45299f68a18e99f8fcac608fac2c6
-
SSDEEP
393216:RnIvC5BvWLlT9QhbChS/PEY6YjoqxBP7dGSX0CzMe7D8lGQq:CvQuLlT9UbCk3d6YMazdGSX0zeccQq
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3136-172-0x00000000038F0000-0x0000000003A95000-memory.dmp purplefox_rootkit behavioral2/memory/3136-175-0x00000000037B0000-0x00000000038E8000-memory.dmp purplefox_rootkit behavioral2/memory/3136-176-0x00000000038F0000-0x0000000003A95000-memory.dmp purplefox_rootkit behavioral2/memory/3136-177-0x00000000038F0000-0x0000000003A95000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3136-172-0x00000000038F0000-0x0000000003A95000-memory.dmp family_gh0strat behavioral2/memory/3136-175-0x00000000037B0000-0x00000000038E8000-memory.dmp family_gh0strat behavioral2/memory/3136-176-0x00000000038F0000-0x0000000003A95000-memory.dmp family_gh0strat behavioral2/memory/3136-177-0x00000000038F0000-0x0000000003A95000-memory.dmp family_gh0strat -
Executes dropped EXE 4 IoCs
Processes:
z.exeletsvpn-latest.exerksr.exerioyeh.exepid process 4056 z.exe 848 letsvpn-latest.exe 2704 rksr.exe 3136 rioyeh.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe upx C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe upx behavioral2/memory/2704-154-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe -
Drops startup file 2 IoCs
Processes:
rksr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Wobisle_SYSTEM_STARTER.lnk rksr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Wobisle_SYSTEM_STARTER.lnk rksr.exe -
Loads dropped DLL 5 IoCs
Processes:
letsvpn-latest.exerioyeh.exepid process 848 letsvpn-latest.exe 848 letsvpn-latest.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rioyeh.exedescription ioc process File opened (read-only) \??\U: rioyeh.exe File opened (read-only) \??\V: rioyeh.exe File opened (read-only) \??\Z: rioyeh.exe File opened (read-only) \??\B: rioyeh.exe File opened (read-only) \??\L: rioyeh.exe File opened (read-only) \??\N: rioyeh.exe File opened (read-only) \??\T: rioyeh.exe File opened (read-only) \??\M: rioyeh.exe File opened (read-only) \??\O: rioyeh.exe File opened (read-only) \??\P: rioyeh.exe File opened (read-only) \??\S: rioyeh.exe File opened (read-only) \??\E: rioyeh.exe File opened (read-only) \??\F: rioyeh.exe File opened (read-only) \??\I: rioyeh.exe File opened (read-only) \??\K: rioyeh.exe File opened (read-only) \??\X: rioyeh.exe File opened (read-only) \??\G: rioyeh.exe File opened (read-only) \??\J: rioyeh.exe File opened (read-only) \??\R: rioyeh.exe File opened (read-only) \??\Y: rioyeh.exe File opened (read-only) \??\H: rioyeh.exe File opened (read-only) \??\Q: rioyeh.exe File opened (read-only) \??\W: rioyeh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rioyeh.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rioyeh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rioyeh.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 51 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByDirection = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000006c556aab11005075626c69630000660009000400efbe874fdb496c556bab2e000000f80500000000010000000000000000003c0000000000b20c17005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a00000002e37a3569cced2119f0e006097c686f60700000028000000e0859ff2f94f6810ab9108002b27b3d902000000a00000002e37a3569cced2119f0e006097c686f602000000780000002e37a3569cced2119f0e006097c686f60400000088000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 78003100000000006c556bab11004d7573696300640009000400efbe874fdb496c556bab2e000000fd0500000000010000000000000000003a00000000009b38eb004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000000c55ec981100557365727300640009000400efbe874f77486c5565ab2e000000c70500000000010000000000000000003a000000000012201b0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616209" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 54003100000000006c556bab100074706477687400003e0009000400efbe6c556bab6c556bab2e0000005e2e02000000060000000000000000000000000000009b38eb00740070006400770068007400000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\IconSize = "16" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\Rev = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616193" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{94D6DDCC-4A68-4175-A374-BD584A510B78}\LogicalViewMode = "1" explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 1372 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
z.exerioyeh.exepid process 4056 z.exe 4056 z.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe 3136 rioyeh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rioyeh.exedescription pid process Token: 33 3136 rioyeh.exe Token: SeIncBasePriorityPrivilege 3136 rioyeh.exe Token: 33 3136 rioyeh.exe Token: SeIncBasePriorityPrivilege 3136 rioyeh.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
z.exepid process 4056 z.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
z.exeexplorer.exerioyeh.exepid process 4056 z.exe 1372 explorer.exe 1372 explorer.exe 3136 rioyeh.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exez.exeexplorer.exedescription pid process target process PID 4988 wrote to memory of 4056 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe z.exe PID 4988 wrote to memory of 4056 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe z.exe PID 4988 wrote to memory of 4056 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe z.exe PID 4988 wrote to memory of 848 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe letsvpn-latest.exe PID 4988 wrote to memory of 848 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe letsvpn-latest.exe PID 4988 wrote to memory of 848 4988 4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe letsvpn-latest.exe PID 4056 wrote to memory of 3432 4056 z.exe explorer.exe PID 4056 wrote to memory of 3432 4056 z.exe explorer.exe PID 1372 wrote to memory of 2704 1372 explorer.exe rksr.exe PID 1372 wrote to memory of 2704 1372 explorer.exe rksr.exe PID 1372 wrote to memory of 2704 1372 explorer.exe rksr.exe PID 1372 wrote to memory of 3136 1372 explorer.exe rioyeh.exe PID 1372 wrote to memory of 3136 1372 explorer.exe rioyeh.exe PID 1372 wrote to memory of 3136 1372 explorer.exe rioyeh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe"C:\Users\Admin\AppData\Local\Temp\4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\z.exe"C:\Users\Admin\AppData\Local\Temp\z.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Public\Music\tpdwht3⤵
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe"C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe"C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe" C:\Users\Admin\AppData\Roaming\sxkxv\llh.zip -d C:\Users\Admin\AppData\Roaming2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe"C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD56c31255e56b22ff932555778af8798d7
SHA14cd2c651c1bb4d8bf861d6acf379c8f6e7a25b8a
SHA2569bb3e1d29f1527268455a26c640fd09bca608b2bc1559dc9deda94aa2221abcd
SHA5129880a646ae7db6b395a0605f15daaab1f9c7d890167e68b395981f4feefb4c9d824f943fa0b7b692a89622920a034386e4a1540d7c2220db29f00e7f2ca61b4f
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exeFilesize
12.3MB
MD58834ec8d35669dd623ba5c6986ff2748
SHA11a475633f1ea1ab47edb1c030ce2ea933c0a934c
SHA256addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2
SHA51200b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exeFilesize
12.3MB
MD58834ec8d35669dd623ba5c6986ff2748
SHA11a475633f1ea1ab47edb1c030ce2ea933c0a934c
SHA256addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2
SHA51200b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e
-
C:\Users\Admin\AppData\Local\Temp\nsw73AF.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
C:\Users\Admin\AppData\Local\Temp\nsw73AF.tmp\nsDialogs.dllFilesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
C:\Users\Admin\AppData\Local\Temp\z.exeFilesize
3.5MB
MD55ec042f2b4bffa71501639b9b4fe9596
SHA18b451dffe0cd8e18b96302351f6ed523a47e1df9
SHA256a5fa2878305867e1644d1d0c65395cf73be28d64b76bbad6b978f55d3811563e
SHA51210fe50b31e2f60b8c27a535f3eba85874b93f9392cac0a544500446801963c142eb7806cf35213d33f926f924d97657a1cb622e5a353db8ac9cc07432eb29263
-
C:\Users\Admin\AppData\Local\Temp\z.exeFilesize
3.5MB
MD55ec042f2b4bffa71501639b9b4fe9596
SHA18b451dffe0cd8e18b96302351f6ed523a47e1df9
SHA256a5fa2878305867e1644d1d0c65395cf73be28d64b76bbad6b978f55d3811563e
SHA51210fe50b31e2f60b8c27a535f3eba85874b93f9392cac0a544500446801963c142eb7806cf35213d33f926f924d97657a1cb622e5a353db8ac9cc07432eb29263
-
C:\Users\Admin\AppData\Roaming\sxkxv\llh.zipFilesize
1KB
MD5667469a889f4d759102317346612aeea
SHA171363d59029db2608b9c7f948bf71de32ce3a39f
SHA256b66cda3e9595ad75fd1061e02c5c358154ae6cef2da21135d8a3657e0de5495d
SHA512867c45bed7312817a38c760ae9074bf3cff85537ba87b0aefdef6057cf04d0a2f7a62d8dd474b8933ac3c086a9c13f7d8e9fe52201ea5f71646053bed6d8a2b3
-
C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exeFilesize
40KB
MD5d3ed82f676591a9c47037a7b66908832
SHA149533ea0b019b76131c14936814f99b9794d506b
SHA2560ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455
SHA512c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986
-
C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exeFilesize
40KB
MD5d3ed82f676591a9c47037a7b66908832
SHA149533ea0b019b76131c14936814f99b9794d506b
SHA2560ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455
SHA512c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986
-
C:\Users\Public\Music\tpdwht\bhalol.lnkFilesize
1KB
MD596b6dba72641c39c8a04abd6958e6dad
SHA13fe49fdee6f9c25beeff823a5a1589fe1be475de
SHA25666cfdc3b8a9d68af7d6f8bdffdbd6dec5c8d51770db4eff423ed5b426c141f49
SHA5127ad46bfd1aaca5ad9dcb49b34a61113f61ac121d14ee6e2f7af69f95dad6c8d16444252f61c626ccde301aefeff9ed2a91d9e79bf44be707ba61c4794c8db78e
-
C:\Users\Public\Music\tpdwht\cgkifko.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\cnnmsoc.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\espstn.lnkFilesize
1KB
MD5a43b78be4e643dc3fce442741d417817
SHA1ccb22ffb8797269851a316182f0963af62979921
SHA25684feece66bba081c2a1de1ffc55eb2dea12b0c01bd22104ea10ed44662cad35c
SHA5122de2b6af6c99fe744edff9ec2ae2651d10dc3eaf8f50f25019fdd9a058c5178ec1c3bb8d62aa8cd1f661fdc59b6e6afe77cacd5a7e4d20b1514cf188ec6af92f
-
C:\Users\Public\Music\tpdwht\fcakdqd.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\fgliqi.lnkFilesize
1KB
MD52e9085405e7677819423e3fe1e5f4f9c
SHA1afab73f9afd09675de51265d4de66bab2889319e
SHA2568a9b7aaf180b099627f7bfcb5f0fbbee44c4762d2eee651d51720f9865f3b347
SHA5123090f7196b8a2173066f24157a89e666d2f96d73f3d833e01f3d2f5bd2a8958f5479f4c879466624db7248838b569aa510669f3c7b0ee67def5a3ffaee0ffd79
-
C:\Users\Public\Music\tpdwht\gvgrcq.lnkFilesize
1KB
MD5cb540b5c212527414e56c9bafc9baa5d
SHA1430afc7a428322df44b74edaf6a21522e3ca1792
SHA256ebf27436b2df4935043ed49825e9a979b22b8d507ef5b2f5a6356ff91a29f5a2
SHA51216c20e7b36782bc6fa39f4ef6d525e0239cc86247286265b18cbdd7adcf591becd7d9d2194b232d8ae0fe16b41899c45f540595c84a61a50c2e55bbaf0d77898
-
C:\Users\Public\Music\tpdwht\gvwdqgu.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\ksqqiu.lnkFilesize
1KB
MD51c2c31c3b90f2db5859994c48215a726
SHA157d1cf7d931897d8db2d0d7e6644f1647abf5a74
SHA256a5708555d08b6b45d4123629358258e584fa53fb2796eff9329cf0cb9713776d
SHA51235dd7ed4439c066fa7af97319d9631cf881606aaae5ffe078e6248be68f1358dd7e6ad5a43aa23fc05a166e569357069630ea8c6e1955f17a67a6db0dc754239
-
C:\Users\Public\Music\tpdwht\osguhgr.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\vsfrqwp.urlFilesize
136B
MD5aadb845c50e2308962b91b3259b37a79
SHA1e9df5cc17f41e31778c262ebea0cce7f388473ff
SHA256e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4
SHA512cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401
-
C:\Users\Public\Music\tpdwht\xmucuo.lnkFilesize
1KB
MD52f681078b4f3d43b3964b17de4e0cb3e
SHA11213b07de9ff50c45b5698c6c06065737af80ef3
SHA2561f07e4eab21a96733eadb375143f82484d2d280cc5f34ebf976cdd7517bf65ef
SHA512b7e673b61fb23502b77a28dfaeb86320bb3c7718b6bbfc1a0010a0295964de6fb7b8094e849c4a75edc0cb97f14b33049c3fff5b962f959550c14b5ce4414a1b
-
C:\Users\Public\Pictures\Vrice\uxdipm\libeay32.dllFilesize
1.2MB
MD50b3347d4b6a87d4f5ca29dd500683ab6
SHA12c3fd9d2802812e64f47bf9ab1e1028796c58441
SHA256d74c7eef6fb6ac5d09f9778e504999bb7332b67ac2051f1888c7a714c28f6cb4
SHA512cf94d4b2ed9107c291f43f68beb41b6126d4fb6b02d2b71444d4b8f1cd383b8eb76fd6de4a0cc7633256f4cbbc3d7329e8710bfa07bda6dcc1db4ae232d68767
-
C:\Users\Public\Pictures\Vrice\uxdipm\libeay32.dllFilesize
1.2MB
MD50b3347d4b6a87d4f5ca29dd500683ab6
SHA12c3fd9d2802812e64f47bf9ab1e1028796c58441
SHA256d74c7eef6fb6ac5d09f9778e504999bb7332b67ac2051f1888c7a714c28f6cb4
SHA512cf94d4b2ed9107c291f43f68beb41b6126d4fb6b02d2b71444d4b8f1cd383b8eb76fd6de4a0cc7633256f4cbbc3d7329e8710bfa07bda6dcc1db4ae232d68767
-
C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exeFilesize
340KB
MD583020e8c25dd7d078733fe74c80d9b46
SHA157aa17d77a4912ed48b086cc86e78ffde7646aaa
SHA25633b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6
SHA5128b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa
-
C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exeFilesize
340KB
MD583020e8c25dd7d078733fe74c80d9b46
SHA157aa17d77a4912ed48b086cc86e78ffde7646aaa
SHA25633b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6
SHA5128b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa
-
C:\Users\Public\Pictures\Vrice\uxdipm\ssleay32.dllFilesize
425KB
MD568e32ca1d7031ff1bfeaef5080a7806c
SHA18b43f487401145e188b9ee4bfdcfd263f0c50a5f
SHA256702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63
SHA512a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae
-
C:\Users\Public\Pictures\Vrice\uxdipm\ssleay32.dllFilesize
425KB
MD568e32ca1d7031ff1bfeaef5080a7806c
SHA18b43f487401145e188b9ee4bfdcfd263f0c50a5f
SHA256702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63
SHA512a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae
-
C:\Users\Public\Pictures\Vrice\uxdipm\wc.xmlFilesize
136KB
MD5dbb0d2c7f913e7dfd789ec11882ef84b
SHA1550cd38fa09b60af1ef949f81fab6ba38497137a
SHA2568f6c04f0d5b52d36d83593070b52d9c14d75568ce3db1a2728263a356193fdbb
SHA512dc70e4c8fdc44a1100febd4456ba410cd5d1f386c44ec7d6fdf0c8672a0344359f2991cf1a4e61bbe2d06cf8f49aaf2c35fd171c7495ce5a46b1850a74990334
-
C:\Users\Public\Pictures\Vrice\uxdipm\zlib1.dllFilesize
98KB
MD5d90dad5eea33a178bac56fff2847d4c2
SHA1cbbce727fd8447487c7fc68051b24df17d043649
SHA256104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA5128dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb
-
C:\Users\Public\Pictures\Vrice\uxdipm\zlib1.dllFilesize
98KB
MD5d90dad5eea33a178bac56fff2847d4c2
SHA1cbbce727fd8447487c7fc68051b24df17d043649
SHA256104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf
SHA5128dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb
-
memory/848-136-0x0000000000000000-mapping.dmp
-
memory/2704-154-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2704-151-0x0000000000000000-mapping.dmp
-
memory/3136-174-0x0000000000730000-0x0000000000753000-memory.dmpFilesize
140KB
-
memory/3136-173-0x0000000010000000-0x00000000101D4000-memory.dmpFilesize
1.8MB
-
memory/3136-172-0x00000000038F0000-0x0000000003A95000-memory.dmpFilesize
1.6MB
-
memory/3136-162-0x0000000000000000-mapping.dmp
-
memory/3136-175-0x00000000037B0000-0x00000000038E8000-memory.dmpFilesize
1.2MB
-
memory/3136-176-0x00000000038F0000-0x0000000003A95000-memory.dmpFilesize
1.6MB
-
memory/3136-177-0x00000000038F0000-0x0000000003A95000-memory.dmpFilesize
1.6MB
-
memory/3432-141-0x0000000000000000-mapping.dmp
-
memory/4056-148-0x0000000006070000-0x0000000006614000-memory.dmpFilesize
5.6MB
-
memory/4056-149-0x0000000005AC0000-0x0000000005B52000-memory.dmpFilesize
584KB
-
memory/4056-133-0x0000000000000000-mapping.dmp
-
memory/4988-132-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB