Analysis
-
max time kernel
189s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe
Resource
win10v2004-20221111-en
General
-
Target
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe
-
Size
484KB
-
MD5
5e14b3f5507e3d056b2db5002ba3dd43
-
SHA1
91733b4f74aa40de0b67b6249fc103663bf055e9
-
SHA256
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180
-
SHA512
586d9bc00279d8f91ac197038362647368ae0bdb92887e6f718cc402bba7db927f6becfac343de3e73cf12627c65350ebb50c67516bb00c5c252241742f50f72
-
SSDEEP
12288:zoUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:792ILECd0R15XZS3QafpDNUQ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
docuv.exeLB9c4j3K.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" docuv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LB9c4j3K.exe -
Executes dropped EXE 8 IoCs
Processes:
LB9c4j3K.exedocuv.exeaahost.exeaahost.exebshost.exedyhost.execsrss.exeekhost.exepid process 1176 LB9c4j3K.exe 2016 docuv.exe 1092 aahost.exe 1124 aahost.exe 1984 bshost.exe 1508 dyhost.exe 332 csrss.exe 2036 ekhost.exe -
Processes:
resource yara_rule behavioral1/memory/1124-83-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1124-85-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1124-86-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1124-90-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1124-91-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1124-92-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 680 cmd.exe -
Loads dropped DLL 14 IoCs
Processes:
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exeLB9c4j3K.exeekhost.exeDllHost.exepid process 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 1176 LB9c4j3K.exe 1176 LB9c4j3K.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 2036 ekhost.exe 1192 DllHost.exe -
Adds Run key to start application 2 TTPs 49 IoCs
Processes:
docuv.exeLB9c4j3K.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /D" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /t" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /P" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /m" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /X" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /L" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /i" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /N" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /e" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /l" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /k" docuv.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ LB9c4j3K.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /v" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /C" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /A" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /Z" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /y" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /r" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /u" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /G" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /V" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /b" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /x" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /h" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /F" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /o" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /R" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /E" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /S" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /I" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /j" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /O" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /N" LB9c4j3K.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /M" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /J" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /w" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /s" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /q" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /d" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /U" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /W" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /c" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /f" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /B" docuv.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /n" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /K" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /H" docuv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\docuv = "C:\\Users\\Admin\\docuv.exe /Y" docuv.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
csrss.exedescription ioc process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
aahost.exebshost.exedescription pid process target process PID 1092 set thread context of 1124 1092 aahost.exe aahost.exe PID 1984 set thread context of 1600 1984 bshost.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
Processes:
tasklist.exetasklist.exetasklist.exepid process 432 tasklist.exe 1048 tasklist.exe 1780 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LB9c4j3K.exeaahost.exebshost.exedocuv.exepid process 1176 LB9c4j3K.exe 1176 LB9c4j3K.exe 1124 aahost.exe 1984 bshost.exe 1984 bshost.exe 1984 bshost.exe 1124 aahost.exe 2016 docuv.exe 2016 docuv.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 2016 docuv.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 2016 docuv.exe 1124 aahost.exe 1124 aahost.exe 1124 aahost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tasklist.exebshost.exetasklist.exetasklist.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1780 tasklist.exe Token: SeDebugPrivilege 1984 bshost.exe Token: SeDebugPrivilege 1984 bshost.exe Token: SeDebugPrivilege 432 tasklist.exe Token: SeDebugPrivilege 1048 tasklist.exe Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exeLB9c4j3K.exedocuv.exeaahost.exedyhost.exeekhost.exepid process 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe 1176 LB9c4j3K.exe 2016 docuv.exe 1092 aahost.exe 1508 dyhost.exe 2036 ekhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
csrss.exepid process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exeLB9c4j3K.execmd.exeaahost.exebshost.execsrss.execmd.exeekhost.exedescription pid process target process PID 944 wrote to memory of 1176 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe LB9c4j3K.exe PID 944 wrote to memory of 1176 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe LB9c4j3K.exe PID 944 wrote to memory of 1176 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe LB9c4j3K.exe PID 944 wrote to memory of 1176 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe LB9c4j3K.exe PID 1176 wrote to memory of 2016 1176 LB9c4j3K.exe docuv.exe PID 1176 wrote to memory of 2016 1176 LB9c4j3K.exe docuv.exe PID 1176 wrote to memory of 2016 1176 LB9c4j3K.exe docuv.exe PID 1176 wrote to memory of 2016 1176 LB9c4j3K.exe docuv.exe PID 1176 wrote to memory of 1180 1176 LB9c4j3K.exe cmd.exe PID 1176 wrote to memory of 1180 1176 LB9c4j3K.exe cmd.exe PID 1176 wrote to memory of 1180 1176 LB9c4j3K.exe cmd.exe PID 1176 wrote to memory of 1180 1176 LB9c4j3K.exe cmd.exe PID 1180 wrote to memory of 1780 1180 cmd.exe tasklist.exe PID 1180 wrote to memory of 1780 1180 cmd.exe tasklist.exe PID 1180 wrote to memory of 1780 1180 cmd.exe tasklist.exe PID 1180 wrote to memory of 1780 1180 cmd.exe tasklist.exe PID 944 wrote to memory of 1092 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe aahost.exe PID 944 wrote to memory of 1092 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe aahost.exe PID 944 wrote to memory of 1092 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe aahost.exe PID 944 wrote to memory of 1092 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 1092 wrote to memory of 1124 1092 aahost.exe aahost.exe PID 944 wrote to memory of 1984 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe bshost.exe PID 944 wrote to memory of 1984 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe bshost.exe PID 944 wrote to memory of 1984 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe bshost.exe PID 944 wrote to memory of 1984 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe bshost.exe PID 1984 wrote to memory of 1284 1984 bshost.exe Explorer.EXE PID 944 wrote to memory of 1508 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe dyhost.exe PID 944 wrote to memory of 1508 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe dyhost.exe PID 944 wrote to memory of 1508 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe dyhost.exe PID 944 wrote to memory of 1508 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe dyhost.exe PID 1984 wrote to memory of 332 1984 bshost.exe csrss.exe PID 1984 wrote to memory of 1600 1984 bshost.exe cmd.exe PID 1984 wrote to memory of 1600 1984 bshost.exe cmd.exe PID 1984 wrote to memory of 1600 1984 bshost.exe cmd.exe PID 1984 wrote to memory of 1600 1984 bshost.exe cmd.exe PID 1984 wrote to memory of 1600 1984 bshost.exe cmd.exe PID 944 wrote to memory of 2036 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe ekhost.exe PID 944 wrote to memory of 2036 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe ekhost.exe PID 944 wrote to memory of 2036 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe ekhost.exe PID 944 wrote to memory of 2036 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe ekhost.exe PID 332 wrote to memory of 1736 332 csrss.exe DllHost.exe PID 944 wrote to memory of 680 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe cmd.exe PID 944 wrote to memory of 680 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe cmd.exe PID 944 wrote to memory of 680 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe cmd.exe PID 944 wrote to memory of 680 944 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe cmd.exe PID 680 wrote to memory of 432 680 cmd.exe tasklist.exe PID 680 wrote to memory of 432 680 cmd.exe tasklist.exe PID 680 wrote to memory of 432 680 cmd.exe tasklist.exe PID 680 wrote to memory of 432 680 cmd.exe tasklist.exe PID 332 wrote to memory of 1692 332 csrss.exe wmiprvse.exe PID 332 wrote to memory of 1692 332 csrss.exe wmiprvse.exe PID 332 wrote to memory of 1192 332 csrss.exe DllHost.exe PID 2036 wrote to memory of 1744 2036 ekhost.exe cmd.exe PID 2036 wrote to memory of 1744 2036 ekhost.exe cmd.exe PID 2036 wrote to memory of 1744 2036 ekhost.exe cmd.exe PID 2036 wrote to memory of 1744 2036 ekhost.exe cmd.exe PID 332 wrote to memory of 864 332 csrss.exe svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe"C:\Users\Admin\AppData\Local\Temp\010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\LB9c4j3K.exeC:\Users\Admin\LB9c4j3K.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\docuv.exe"C:\Users\Admin\docuv.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Users\Admin\aahost.exeC:\Users\Admin\aahost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\aahost.exe"C:\Users\Admin\aahost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1124 -
C:\Users\Admin\bshost.exeC:\Users\Admin\bshost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1600
-
C:\Users\Admin\dyhost.exeC:\Users\Admin\dyhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1508 -
C:\Users\Admin\ekhost.exeC:\Users\Admin\ekhost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe4⤵PID:1744
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 010ab25cc50fd20c42e81f0e9f008c033cce51553634e3b00bcf5be183008180.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:864
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1736
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Loads dropped DLL
PID:1192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5fa0eb2a8b561ea9afc6a51709ff0d7de
SHA14ef5265f5b5bb1a4857e7668f132405c799da155
SHA25699ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f
SHA5120e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6
-
Filesize
212KB
MD5fa0eb2a8b561ea9afc6a51709ff0d7de
SHA14ef5265f5b5bb1a4857e7668f132405c799da155
SHA25699ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f
SHA5120e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6
-
Filesize
140KB
MD593ea44e078cb0477614729636866a84b
SHA1f9752413d48fd98a77cfce8fff04a7a0d72c26d8
SHA256c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27
SHA512351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113
-
Filesize
140KB
MD593ea44e078cb0477614729636866a84b
SHA1f9752413d48fd98a77cfce8fff04a7a0d72c26d8
SHA256c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27
SHA512351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113
-
Filesize
140KB
MD593ea44e078cb0477614729636866a84b
SHA1f9752413d48fd98a77cfce8fff04a7a0d72c26d8
SHA256c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27
SHA512351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113
-
Filesize
260KB
MD5bbc0a2fe1284778896b57ffc5701aefa
SHA16b9a0106b82c63265936ce728a858d258c8f6b14
SHA25692fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0
SHA5128a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930
-
Filesize
260KB
MD5bbc0a2fe1284778896b57ffc5701aefa
SHA16b9a0106b82c63265936ce728a858d258c8f6b14
SHA25692fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0
SHA5128a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930
-
Filesize
212KB
MD54bb0e1988a3d76e381cc75dcf4013f2d
SHA11c259c512ef017e1984dfc68d700780680579c13
SHA2568e7b0d6ca407fc9eb9361f8d3d2780646b8a759430831763a044512321c34dfe
SHA51252d2db534210327c9ba1041b9e2f0e3e7a023e0dc84c55887d904d90bfd013aa28473b01f8f99f991206cea14b860f7729437e929477c7ad8f3a2b1ffafcc53a
-
Filesize
212KB
MD54bb0e1988a3d76e381cc75dcf4013f2d
SHA11c259c512ef017e1984dfc68d700780680579c13
SHA2568e7b0d6ca407fc9eb9361f8d3d2780646b8a759430831763a044512321c34dfe
SHA51252d2db534210327c9ba1041b9e2f0e3e7a023e0dc84c55887d904d90bfd013aa28473b01f8f99f991206cea14b860f7729437e929477c7ad8f3a2b1ffafcc53a
-
Filesize
48KB
MD5d46eb4bf816ed9978636de7955245323
SHA1c474df60a83302e0d010d11dcebd7cdb3cc22866
SHA2562ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd
SHA512e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef
-
Filesize
24KB
MD59fe0e5252dc24fc1788b0d8b26026807
SHA121e3063a0fac1157b9707861048c5f7fbd070ceb
SHA2569c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40
SHA512613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c
-
Filesize
53KB
MD54d7cde615a0f534bd5e359951829554b
SHA1c885d00d9000f2a5dbc78f6193a052b36f4fe968
SHA256414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a
SHA51233d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4
-
Filesize
2KB
MD54622c8529e4838f988561a124eb31885
SHA1bfc5f6a67296b91c9b774b884913a40f7868adb3
SHA2566d06fe5ef35d4557d26a1d7da61c2286c214d84f9d52b0969266b03171486825
SHA51253c1517bfb4cd03bbb3d115191d0b88f04309dad825790f3437fb178ad0ec4cf318a02cc671d397a9ae4dfd61450bb5d2dae80bc8ff8e3ef9224bfa2a8014343
-
Filesize
212KB
MD5fa0eb2a8b561ea9afc6a51709ff0d7de
SHA14ef5265f5b5bb1a4857e7668f132405c799da155
SHA25699ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f
SHA5120e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6
-
Filesize
212KB
MD5fa0eb2a8b561ea9afc6a51709ff0d7de
SHA14ef5265f5b5bb1a4857e7668f132405c799da155
SHA25699ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f
SHA5120e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6
-
Filesize
140KB
MD593ea44e078cb0477614729636866a84b
SHA1f9752413d48fd98a77cfce8fff04a7a0d72c26d8
SHA256c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27
SHA512351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113
-
Filesize
140KB
MD593ea44e078cb0477614729636866a84b
SHA1f9752413d48fd98a77cfce8fff04a7a0d72c26d8
SHA256c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27
SHA512351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113
-
Filesize
260KB
MD5bbc0a2fe1284778896b57ffc5701aefa
SHA16b9a0106b82c63265936ce728a858d258c8f6b14
SHA25692fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0
SHA5128a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930
-
Filesize
260KB
MD5bbc0a2fe1284778896b57ffc5701aefa
SHA16b9a0106b82c63265936ce728a858d258c8f6b14
SHA25692fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0
SHA5128a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930
-
Filesize
212KB
MD54bb0e1988a3d76e381cc75dcf4013f2d
SHA11c259c512ef017e1984dfc68d700780680579c13
SHA2568e7b0d6ca407fc9eb9361f8d3d2780646b8a759430831763a044512321c34dfe
SHA51252d2db534210327c9ba1041b9e2f0e3e7a023e0dc84c55887d904d90bfd013aa28473b01f8f99f991206cea14b860f7729437e929477c7ad8f3a2b1ffafcc53a
-
Filesize
212KB
MD54bb0e1988a3d76e381cc75dcf4013f2d
SHA11c259c512ef017e1984dfc68d700780680579c13
SHA2568e7b0d6ca407fc9eb9361f8d3d2780646b8a759430831763a044512321c34dfe
SHA51252d2db534210327c9ba1041b9e2f0e3e7a023e0dc84c55887d904d90bfd013aa28473b01f8f99f991206cea14b860f7729437e929477c7ad8f3a2b1ffafcc53a
-
Filesize
48KB
MD5d46eb4bf816ed9978636de7955245323
SHA1c474df60a83302e0d010d11dcebd7cdb3cc22866
SHA2562ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd
SHA512e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef
-
Filesize
48KB
MD5d46eb4bf816ed9978636de7955245323
SHA1c474df60a83302e0d010d11dcebd7cdb3cc22866
SHA2562ae9b936feeade89c9074c379efedd21d15a1cf247207afe5381f437e41ca4bd
SHA512e46a604a96345b1b6800cb22c8c870dfa62dbdd8bd5b6ff43ddce9b080d1af180db498dad23561c0116b4dadbc44617b26840e67bc0afde01439e4c70632d7ef
-
Filesize
24KB
MD59fe0e5252dc24fc1788b0d8b26026807
SHA121e3063a0fac1157b9707861048c5f7fbd070ceb
SHA2569c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40
SHA512613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c
-
Filesize
24KB
MD59fe0e5252dc24fc1788b0d8b26026807
SHA121e3063a0fac1157b9707861048c5f7fbd070ceb
SHA2569c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40
SHA512613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c
-
Filesize
53KB
MD54d7cde615a0f534bd5e359951829554b
SHA1c885d00d9000f2a5dbc78f6193a052b36f4fe968
SHA256414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a
SHA51233d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4
-
Filesize
4KB
MD5878f9b6da85cb98fcbdf6abd1730a32f
SHA1343007e658ea541f4680b4edf4513e69e1cc18a6
SHA25675b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d
SHA5125425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293
-
Filesize
5KB
MD59d7ec1e355ac35cbe6991721ef5ae3b8
SHA1c35a00bd35c6e4a7516b93947be08ead966347e8
SHA25668a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98
SHA512b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0