privateloader | 5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
Size

6.4MB
MD5

30fd8d41dcf3e7b9ce4aa1ed077efbfe
SHA1

53418ba5aa14bc3c25c33f8f1afd29396fd4f393
SHA256

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1
SHA512

dc1e33d0d8cf187905676713cf4fcbb5b01633bfa138322874c19246de4ab87b18a15753097ee4f217ac81762e3548865a64a6bbcd6d5d2463993b3031087d9a
SSDEEP

196608:OJsj/2yInkh0D+3yavAf5jNnsSov4FVqe:f/2yIkui3yyAISXFVD

Score

10^/10

privateloader tofsee evasion loader persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

852V6IcLNy5Eiam1JIZ1HLaG.exeHYkv7jtzR9j1dj6wEEoBH1NU.exeqwjexerm.exe

pid process

1524 852V6IcLNy5Eiam1JIZ1HLaG.exe
324 HYkv7jtzR9j1dj6wEEoBH1NU.exe
1608 qwjexerm.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

704 netsh.exe

pid	process
1524	852V6IcLNy5Eiam1JIZ1HLaG.exe
324	HYkv7jtzR9j1dj6wEEoBH1NU.exe
1608	qwjexerm.exe

pid	process
704	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\lthhabze\ImagePath = "C:\\Windows\\SysWOW64\\lthhabze\\qwjexerm.exe"	svchost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/976-55-0x0000000001250000-0x0000000001E93000-memory.dmp	vmprotect
behavioral1/memory/976-58-0x0000000001250000-0x0000000001E93000-memory.dmp	vmprotect
behavioral1/memory/976-59-0x0000000001250000-0x0000000001E93000-memory.dmp	vmprotect
\Users\Admin\Pictures\Minor Policy\lw8iZMu72q42TwtsRQPEy8nW.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Loads dropped DLL 11 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

pid	process
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
5 ipinfo.io

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qwjexerm.exe

description pid process target process

PID 1608 set thread context of 1628 1608 qwjexerm.exe svchost.exe
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1580 sc.exe
1184 sc.exe
1396 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1608 set thread context of 1628	1608	qwjexerm.exe	svchost.exe

pid	process
1580	sc.exe
1184	sc.exe
1396	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 9c382b3da11a7a0624edb47d450dd49d084297dce82e72baa49c1dfd947f7d1d2d571aa486cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56810df874a7d39e4a4644490bdb17f23eb915906c8f48d3c74bbc4103d3cfea16f13d4814d730db8f2054991cfdb2470dd906d5d8dc4a0622fd79d410e35ffa35d579fc2223064b9f86400c08abd7923ef955e00fda8e2377c88f2005469a8946c11d9864e7334e0af5d2d109d8d4db20a4a3634fdc48d551de4ad035276a6cb2e569bb47d440dd49d642d4d301b2751dda46d34fe089f571de4ad750c33fbba6c15de9a4c7538faac5115f4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74df05cd94	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

pid	process
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe852V6IcLNy5Eiam1JIZ1HLaG.exeHYkv7jtzR9j1dj6wEEoBH1NU.exeqwjexerm.exe

description	pid	process	target process
PID 976 wrote to memory of 324	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	HYkv7jtzR9j1dj6wEEoBH1NU.exe
PID 976 wrote to memory of 324	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	HYkv7jtzR9j1dj6wEEoBH1NU.exe
PID 976 wrote to memory of 324	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	HYkv7jtzR9j1dj6wEEoBH1NU.exe
PID 976 wrote to memory of 324	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	HYkv7jtzR9j1dj6wEEoBH1NU.exe
PID 976 wrote to memory of 1524	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	852V6IcLNy5Eiam1JIZ1HLaG.exe
PID 976 wrote to memory of 1524	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	852V6IcLNy5Eiam1JIZ1HLaG.exe
PID 976 wrote to memory of 1524	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	852V6IcLNy5Eiam1JIZ1HLaG.exe
PID 976 wrote to memory of 1524	976	5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe	852V6IcLNy5Eiam1JIZ1HLaG.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 1524 wrote to memory of 800	1524	852V6IcLNy5Eiam1JIZ1HLaG.exe	msiexec.exe
PID 324 wrote to memory of 1996	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1996	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1996	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1996	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1404	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1404	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1404	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1404	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	cmd.exe
PID 324 wrote to memory of 1580	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1580	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1580	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1580	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1184	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1184	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1184	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1184	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1396	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1396	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1396	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 1396	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	sc.exe
PID 324 wrote to memory of 704	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	netsh.exe
PID 324 wrote to memory of 704	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	netsh.exe
PID 324 wrote to memory of 704	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	netsh.exe
PID 324 wrote to memory of 704	324	HYkv7jtzR9j1dj6wEEoBH1NU.exe	netsh.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe
PID 1608 wrote to memory of 1628	1608	qwjexerm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe
"C:\Users\Admin\AppData\Local\Temp\5c088a33041c8e0401b4d0eca1670346a9569b9bf4ce41db72a664954e2395c1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\Pictures\Minor Policy\852V6IcLNy5Eiam1JIZ1HLaG.exe
"C:\Users\Admin\Pictures\Minor Policy\852V6IcLNy5Eiam1JIZ1HLaG.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\JV5mZK.B
3⤵
PID:800

C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe
"C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lthhabze\
3⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qwjexerm.exe" C:\Windows\SysWOW64\lthhabze\
3⤵
PID:1404

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lthhabze binPath= "C:\Windows\SysWOW64\lthhabze\qwjexerm.exe /d\"C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:1580

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lthhabze "wifi internet conection"
3⤵
- Launches sc.exe
PID:1184

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lthhabze
3⤵
- Launches sc.exe
PID:1396

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:704

C:\Users\Admin\Pictures\Minor Policy\fd5U6ERdmH2o3A926f763l_Z.exe
"C:\Users\Admin\Pictures\Minor Policy\fd5U6ERdmH2o3A926f763l_Z.exe"
2⤵
PID:1620

C:\Users\Admin\Pictures\Minor Policy\lw8iZMu72q42TwtsRQPEy8nW.exe
"C:\Users\Admin\Pictures\Minor Policy\lw8iZMu72q42TwtsRQPEy8nW.exe"
2⤵
PID:2016

C:\Users\Admin\Pictures\Minor Policy\J5X6MTQjThpAScURcmoOR0MY.exe
"C:\Users\Admin\Pictures\Minor Policy\J5X6MTQjThpAScURcmoOR0MY.exe"
2⤵
PID:2044

C:\Users\Admin\Pictures\Minor Policy\nvScBFy335J9UhFvU0vl3Ob6.exe
"C:\Users\Admin\Pictures\Minor Policy\nvScBFy335J9UhFvU0vl3Ob6.exe"
2⤵
PID:1216

C:\Users\Admin\Pictures\Minor Policy\psRH0RTLNuPeMuvVG85mZqCc.exe
"C:\Users\Admin\Pictures\Minor Policy\psRH0RTLNuPeMuvVG85mZqCc.exe"
2⤵
PID:1336

C:\Users\Admin\Pictures\Minor Policy\VcZi49u9l5hi9pgLQHuZV8jL.exe
"C:\Users\Admin\Pictures\Minor Policy\VcZi49u9l5hi9pgLQHuZV8jL.exe"
2⤵
PID:1256

C:\Users\Admin\Pictures\Minor Policy\_x7oWmqzHOvTzdWHEIaz88wn.exe
"C:\Users\Admin\Pictures\Minor Policy\_x7oWmqzHOvTzdWHEIaz88wn.exe"
2⤵
PID:1344

C:\Users\Admin\Pictures\Minor Policy\wiS84JlVrPkLah38t3JCpIqu.exe
"C:\Users\Admin\Pictures\Minor Policy\wiS84JlVrPkLah38t3JCpIqu.exe"
2⤵
PID:900

C:\Windows\SysWOW64\lthhabze\qwjexerm.exe
C:\Windows\SysWOW64\lthhabze\qwjexerm.exe /d"C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qwjexerm.exe
Filesize
11.0MB

MD5
0e8b8320fde6b897747493a63f073fd1

SHA1
76d57cea15e7f8030434a0782becab58e3ad5002

SHA256
15fb7085541c3b98ae85d198a6e5de3b5ab0a394ca588388d5111a1bb25d1747

SHA512
e47c56ac1327b5bdcd84bee8001c0ce7b86a334678af5609e15294d63b3b3719916a149a9647b075d0f3d00fc5adc079d70ea7d266957bc1a2055e088036c8de

Download Submit
C:\Users\Admin\Pictures\Minor Policy\852V6IcLNy5Eiam1JIZ1HLaG.exe
Filesize
1.8MB

MD5
b8ba6be68ed100283134a099706867c5

SHA1
6f6c7ed3812eff1488c72679add579a5976ccab0

SHA256
2a2e3bfe05d3b240d13f9fd302b6b00818da4e8bb65fa7fd480606916b807f8e

SHA512
d1e24a7e79fdfbc34fd4e2b29e396ffc3771753c8747493998aee632d982a820cc5e8ff774398981bfb0912c8004cf7eae11a774b65be1dbe0e6b5297668a9e1

Download Submit
C:\Users\Admin\Pictures\Minor Policy\852V6IcLNy5Eiam1JIZ1HLaG.exe
Filesize
1.8MB

MD5
b8ba6be68ed100283134a099706867c5

SHA1
6f6c7ed3812eff1488c72679add579a5976ccab0

SHA256
2a2e3bfe05d3b240d13f9fd302b6b00818da4e8bb65fa7fd480606916b807f8e

SHA512
d1e24a7e79fdfbc34fd4e2b29e396ffc3771753c8747493998aee632d982a820cc5e8ff774398981bfb0912c8004cf7eae11a774b65be1dbe0e6b5297668a9e1

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
C:\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
C:\Windows\SysWOW64\lthhabze\qwjexerm.exe
Filesize
11.0MB

MD5
0e8b8320fde6b897747493a63f073fd1

SHA1
76d57cea15e7f8030434a0782becab58e3ad5002

SHA256
15fb7085541c3b98ae85d198a6e5de3b5ab0a394ca588388d5111a1bb25d1747

SHA512
e47c56ac1327b5bdcd84bee8001c0ce7b86a334678af5609e15294d63b3b3719916a149a9647b075d0f3d00fc5adc079d70ea7d266957bc1a2055e088036c8de

Download Submit
\Users\Admin\Pictures\Minor Policy\852V6IcLNy5Eiam1JIZ1HLaG.exe
Filesize
1.8MB

MD5
b8ba6be68ed100283134a099706867c5

SHA1
6f6c7ed3812eff1488c72679add579a5976ccab0

SHA256
2a2e3bfe05d3b240d13f9fd302b6b00818da4e8bb65fa7fd480606916b807f8e

SHA512
d1e24a7e79fdfbc34fd4e2b29e396ffc3771753c8747493998aee632d982a820cc5e8ff774398981bfb0912c8004cf7eae11a774b65be1dbe0e6b5297668a9e1

Download Submit
\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
\Users\Admin\Pictures\Minor Policy\HYkv7jtzR9j1dj6wEEoBH1NU.exe
Filesize
232KB

MD5
d440eda2642b825a96ead2584a99df98

SHA1
8b46704cf6c5d0583c81591db5e51b3a7e694c97

SHA256
d849888234af0173d498b70bc2d402af850664776079fb3f28c45a8a126e5099

SHA512
28d09ed39066f48a15a5daac5e2951f11399f7e289adf4560b3b48ca6141a3016708db4e66b91ac6d7abe0919a5fc77db5dd6092fa874c5602693d71f4b2bf25

Download Submit
\Users\Admin\Pictures\Minor Policy\J5X6MTQjThpAScURcmoOR0MY.exe
Filesize
270KB

MD5
91c0ecd7a45a9b6d6faf58423d1ff4ee

SHA1
89a3c4c111944bbbe83c2b9f50008879328e230a

SHA256
f12dfd638591c5444499e2325c59698554c7557880d722f8935cf2cdea46d111

SHA512
225452075fdf6a6302c18b9dd9eae818f2b14027d146dad9a4c58bb6c9dfae787c7caf3abaf5c29fe3a24010a81954088c3d9b2bf63a579d6df1841caf0b4dcc

Download Submit
\Users\Admin\Pictures\Minor Policy\VcZi49u9l5hi9pgLQHuZV8jL.exe
Filesize
365KB

MD5
ce79479b60b270264c48818b633d1559

SHA1
7dcf699fa25c99960e36c9487066b4a3a5855a3a

SHA256
5258d88ffd8275a1c16739aa05eeb34dac82c3493f02033cb37f1d2fc985ad1e

SHA512
d3430038c42cb8cf96b48c8548ec9717ef2b8f5e3c5875d7f530cc4d40ce510d0bcabfa751232bad5c62224e09850bd95da26c2e57d65cc2af28694af653e412

Download Submit
\Users\Admin\Pictures\Minor Policy\_x7oWmqzHOvTzdWHEIaz88wn.exe
Filesize
6.1MB

MD5
554c35e7f8372facb81013ed8a1abac7

SHA1
2f913331b0da061cced1ec22923dfcb7701661fa

SHA256
bcb26a341e64f4faf00f57e17955a576b6b41768b29a8d556a4f6d1f52320245

SHA512
dccda647c9b1634e031aba9f8b825d16356307eacc9b96f5d25f746b7a1fa6c82f527876b97d99750328633b01300b27ec24a9ffdaf2978abd4318d7889f8a4d

Download Submit
\Users\Admin\Pictures\Minor Policy\fd5U6ERdmH2o3A926f763l_Z.exe
Filesize
234KB

MD5
cce8615f9e697a298760ab4843b960fd

SHA1
e814ec411a2fb2cfed2a491ecc04f874035e98fa

SHA256
466a20366f2f16813a26bdc6cce70a33d8c14bef069efbe24e0c028c9eb92c10

SHA512
4d7d99d910b0fddcf40f4099260163172eb05fe66fdcfec5935989a3746da2f560e57a92be375f73325caca167d5c8e6a73b52acec1f6812cadd5f044269c11e

Download Submit
\Users\Admin\Pictures\Minor Policy\lw8iZMu72q42TwtsRQPEy8nW.exe
Filesize
3.5MB

MD5
c9dd331060bfb98acc554bdec8675e64

SHA1
7eff8060c1230bb1207c3452649d27ebc144eb63

SHA256
a43ba866355013dd2afd3c89ad4cd9427b7c209cae3c09c157843688cdf81e18

SHA512
82d72a0e3b40d5c5853844a82d50abc24626b3dea6609877bb5a349cc9d0e1ae54599b6cb623fc37596f30f6bc5f50b14a47e43afd38c351cb25d1f04d20efd8

Download Submit
\Users\Admin\Pictures\Minor Policy\nvScBFy335J9UhFvU0vl3Ob6.exe
Filesize
2.1MB

MD5
a5a0ed639a5a6d8d31825db7f0c23fbc

SHA1
cfd83af729c7893622f62ed3580ed656a8518a3c

SHA256
18646ff39c91ed1a3495e580ae46ec36cef89bd362b645755ca645d238da9b2c

SHA512
029c510ae9ffd80576c34b59a0ae0364b80387c907b82eadd90eed7ef71371ef9e17c5b145851f742c3a7d0339dfa6382b0729c1c097e5da20bc8493abd67f9a

Download Submit
\Users\Admin\Pictures\Minor Policy\psRH0RTLNuPeMuvVG85mZqCc.exe
Filesize
141KB

MD5
13fd3c9cd13274dc2c442e340ba6d42b

SHA1
57f9dd829648ac3c123d3922231b343a27e03166

SHA256
41686ad7861e37227ef1e467c075c844beee3e7c5fbdf9fbad39b9172f4a0c23

SHA512
fc8f2b13f618390d5176afc441f3ba2f1265f7706273507634fdc7c5b125f4f5d5fa2d3d6b41ac04c7c53fe36dda631214982b16836657e3605c8fbbbe69a682

Download Submit
\Users\Admin\Pictures\Minor Policy\wiS84JlVrPkLah38t3JCpIqu.exe
Filesize
4.8MB

MD5
854d5dfe2d5193aa4150765c123df8ad

SHA1
1b21d80c4beb90b03d795cf11145619aeb3a4f37

SHA256
85b73b7b3c9acc6648beb77ce878ebeea26a2a949bf17c3184f2bd4544d12b45

SHA512
48ed604ea966a35cc16631ce5da692bb236badafdb6d3d01ef3a27ab5a9c1ea6a19d6e8209c894ab292614cfbd355c2ca96401fd4dbb9a3abbfd886cddae77cc

Download Submit
memory/324-87-0x00000000002EA000-0x00000000002FF000-memory.dmp

Filesize
84KB

Download
memory/324-104-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/324-85-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/324-63-0x0000000000000000-mapping.dmp

Download
memory/324-79-0x00000000002EA000-0x00000000002FF000-memory.dmp

Filesize
84KB

Download
memory/324-82-0x00000000001B0000-0x00000000001C3000-memory.dmp

Filesize
76KB

Download
memory/324-108-0x00000000002EA000-0x00000000002FF000-memory.dmp

Filesize
84KB

Download
memory/704-94-0x0000000000000000-mapping.dmp

Download
memory/800-83-0x0000000000000000-mapping.dmp

Download
memory/976-59-0x0000000001250000-0x0000000001E93000-memory.dmp

Filesize
12.3MB

Download
memory/976-65-0x00000000033A0000-0x00000000033C7000-memory.dmp

Filesize
156KB

Download
memory/976-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/976-77-0x0000000007500000-0x0000000007DAD000-memory.dmp

Filesize
8.7MB

Download
memory/976-58-0x0000000001250000-0x0000000001E93000-memory.dmp

Filesize
12.3MB

Download
memory/976-55-0x0000000001250000-0x0000000001E93000-memory.dmp

Filesize
12.3MB

Download
memory/1184-89-0x0000000000000000-mapping.dmp

Download
memory/1396-91-0x0000000000000000-mapping.dmp

Download
memory/1404-86-0x0000000000000000-mapping.dmp

Download
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1580-88-0x0000000000000000-mapping.dmp

Download
memory/1608-95-0x00000000002AA000-0x00000000002BF000-memory.dmp

Filesize
84KB

Download
memory/1608-103-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/1608-106-0x00000000002AA000-0x00000000002BF000-memory.dmp

Filesize
84KB

Download
memory/1628-99-0x0000000000089A6B-mapping.dmp

Download
memory/1628-98-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1628-96-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1628-107-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/1996-84-0x0000000000000000-mapping.dmp

Download