e141e9a1a0094095d5e26077311418a01dac429e68d3ff07a734385eb0172bea

Analysis

max time kernel
51s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinSCP-5.21.5-Setup.exe
Size

10.9MB
MD5

20c5329d7fde522338f037a7fe8a84eb
SHA1

c55a60799cfa24c1aeffcd2ca609776722e84f1b
SHA256

e141e9a1a0094095d5e26077311418a01dac429e68d3ff07a734385eb0172bea
SHA512

58813bb051bd66c29e3384dcf7ec7ca91f2e25506f28ca16e9620a7144bea1140d91dddb1131c6befc17e976e4992d0cce1528f90d536fe827ada1be44f7f1a5
SSDEEP

196608:HCImpQVrv0m6lhmBMlvOxwnIBSnCITfLb8MAFGrCaPiqXpAo83jVolDN/+z+:qQRScMlv7YSnC8fLbUGr0UAH3+AK

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

WinSCP-5.21.5-Setup.tmpWinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

2156 WinSCP-5.21.5-Setup.tmp
4632 WinSCP.exe
4136 WinSCP.exe
3688 WinSCP.exe
2112 WinSCP.exe

pid	process
2156	WinSCP-5.21.5-Setup.tmp
4632	WinSCP.exe
4136	WinSCP.exe
3688	WinSCP.exe
2112	WinSCP.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ = "C:\\Program Files (x86)\\WinSCP\\DragExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinSCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinSCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinSCP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WinSCP.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

560 regsvr32.exe
1732 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
560	regsvr32.exe
1732	regsvr32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSCP.exe

description	ioc	process
File opened (read-only)	\??\E:	WinSCP.exe
File opened (read-only)	\??\F:	WinSCP.exe
File opened (read-only)	\??\L:	WinSCP.exe
File opened (read-only)	\??\N:	WinSCP.exe
File opened (read-only)	\??\Y:	WinSCP.exe
File opened (read-only)	\??\H:	WinSCP.exe
File opened (read-only)	\??\M:	WinSCP.exe
File opened (read-only)	\??\Q:	WinSCP.exe
File opened (read-only)	\??\U:	WinSCP.exe
File opened (read-only)	\??\K:	WinSCP.exe
File opened (read-only)	\??\O:	WinSCP.exe
File opened (read-only)	\??\P:	WinSCP.exe
File opened (read-only)	\??\V:	WinSCP.exe
File opened (read-only)	\??\T:	WinSCP.exe
File opened (read-only)	\??\A:	WinSCP.exe
File opened (read-only)	\??\B:	WinSCP.exe
File opened (read-only)	\??\G:	WinSCP.exe
File opened (read-only)	\??\I:	WinSCP.exe
File opened (read-only)	\??\J:	WinSCP.exe
File opened (read-only)	\??\R:	WinSCP.exe
File opened (read-only)	\??\S:	WinSCP.exe
File opened (read-only)	\??\W:	WinSCP.exe
File opened (read-only)	\??\X:	WinSCP.exe
File opened (read-only)	\??\Z:	WinSCP.exe

Drops file in Program Files directory 61 IoCs

Processes:

WinSCP-5.21.5-Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\WinSCP\Translations\is-NCSB0.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-PA3T6.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-0QQNU.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-ER5TU.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-N6MGP.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1CPIC.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1FB47.tmp	WinSCP-5.21.5-Setup.tmp
File opened for modification	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-GTHC8.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8LCO8.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-D9TP6.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-34G4Q.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-PVIMG.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-F5KUF.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-J4I8E.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-PIM5T.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-66ORB.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-PSQQ6.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-S4OMQ.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BTN4Q.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8LO0Q.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BU3QM.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-SBK0K.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-JAA5C.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-HAR0G.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-U82Q7.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-CUP75.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-E6BIS.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-IVT4O.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-HK3MB.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8NGEN.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-HIH2B.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8DV91.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-VR406.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1HG80.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-AK64F.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.msg	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-HD4PK.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-785LQ.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-3SGFG.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-Q9IT3.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-TCKRT.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-79HC4.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-COGGR.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-VRKPA.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-C4RF0.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-2B83D.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-035ND.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-JO812.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-HU3HM.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-9K2EQ.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-I56R0.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-6VT69.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-BMENJ.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-S9R60.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1VIC4.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-515V7.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-B6AF2.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-SDSKM.tmp	WinSCP-5.21.5-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-MDG2E.tmp	WinSCP-5.21.5-Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2648 1212 WerFault.exe

pid	pid_target	process	target process
2648	1212	WerFault.exe

Modifies registry class 64 IoCs

Processes:

WinSCP.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\ = "URL: davs Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\ = "URL: ssh Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-HTTP	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\URL Protocol	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\EditFlags = "2"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sftp	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\ = "URL: scp Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\ = "WinSCP Shell Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\WinSCPCopyHook\ = "{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-DAVS	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\ = "URL: winscp-FTPS Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\ = "URL: ftps Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\shell\open	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ssh	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\ = "URL: winscp-SCP Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-SFTP	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\ = "URL: dav Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\ = "URL: winscp-SSH Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WinSCP.Url	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid	process
4632	WinSCP.exe
4632	WinSCP.exe
4136	WinSCP.exe
4136	WinSCP.exe
3688	WinSCP.exe
3688	WinSCP.exe
3688	WinSCP.exe
3688	WinSCP.exe
2112	WinSCP.exe
2112	WinSCP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WinSCP.exe

pid process

2112 WinSCP.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinSCP-5.21.5-Setup.tmpWinSCP.exe

pid process

2156 WinSCP-5.21.5-Setup.tmp
2112 WinSCP.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinSCP.exe

pid process

2112 WinSCP.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

4632 WinSCP.exe
4136 WinSCP.exe
3688 WinSCP.exe
2112 WinSCP.exe
2112 WinSCP.exe
2112 WinSCP.exe
2112 WinSCP.exe

pid	process
2112	WinSCP.exe

pid	process
2156	WinSCP-5.21.5-Setup.tmp
2112	WinSCP.exe

pid	process
2112	WinSCP.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WinSCP-5.21.5-Setup.exeWinSCP-5.21.5-Setup.tmpregsvr32.exe

description	pid	process	target process
PID 3232 wrote to memory of 2156	3232	WinSCP-5.21.5-Setup.exe	WinSCP-5.21.5-Setup.tmp
PID 3232 wrote to memory of 2156	3232	WinSCP-5.21.5-Setup.exe	WinSCP-5.21.5-Setup.tmp
PID 3232 wrote to memory of 2156	3232	WinSCP-5.21.5-Setup.exe	WinSCP-5.21.5-Setup.tmp
PID 2156 wrote to memory of 560	2156	WinSCP-5.21.5-Setup.tmp	regsvr32.exe
PID 2156 wrote to memory of 560	2156	WinSCP-5.21.5-Setup.tmp	regsvr32.exe
PID 2156 wrote to memory of 560	2156	WinSCP-5.21.5-Setup.tmp	regsvr32.exe
PID 560 wrote to memory of 1732	560	regsvr32.exe	regsvr32.exe
PID 560 wrote to memory of 1732	560	regsvr32.exe	regsvr32.exe
PID 2156 wrote to memory of 4632	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 4632	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 4632	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 4136	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 4136	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 4136	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 3688	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 3688	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 3688	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 2112	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 2112	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe
PID 2156 wrote to memory of 2112	2156	WinSCP-5.21.5-Setup.tmp	WinSCP.exe

C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp" /SL5="$701C4,10341138,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.5-Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1732

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,InstallationsLaunch+,
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3688

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 1212 -ip 1212
1⤵
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1212 -s 2464
1⤵
- Program crash
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
80f2947c0cda8c84892dbf7f692b3fd4

SHA1
698c2c2bbdcdb83697871570d7a9ff38acb63021

SHA256
72126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069

SHA512
50de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed

Download Submit
C:\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
80f2947c0cda8c84892dbf7f692b3fd4

SHA1
698c2c2bbdcdb83697871570d7a9ff38acb63021

SHA256
72126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069

SHA512
50de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed

Download Submit
C:\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
80f2947c0cda8c84892dbf7f692b3fd4

SHA1
698c2c2bbdcdb83697871570d7a9ff38acb63021

SHA256
72126bb16fc8e9456fa8145105390b1cb474c6ef0e27ba5b93024651d4f36069

SHA512
50de448e0ed723df810a108c35cf2b81ba04c0d697b38f029d9e77a7a39c398a4bf519bfd5bd23e2b4159f9ad70b80cf99961206f7255939083399b0943bb2ed

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1
Filesize
6KB

MD5
b16082ceeb34da39af1d52adc88be7db

SHA1
b7719fec4c89fe09904ae5fecf96aa364914e57e

SHA256
beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356

SHA512
bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1
Filesize
3KB

MD5
d75a4e965a960b31088645b8156beda3

SHA1
22b3a54999cdd4954d25349a9dab86bea372416d

SHA256
5251f44a90b99c53ec9562f404d4ea3c2af260dd1b8ebbbce32891b6e6462d25

SHA512
519aee18c832c5de13cc051e562f344d50cf7843a5c74cdbadfffd81e422d7fe26bc0d686074375535f41c00c3310592c0f3ad252331b84f3d312366b4f55c1b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1
Filesize
2KB

MD5
5658e87d86c7e1f4a375e65075c73f27

SHA1
1928b74fa34e139051bf8a8414a45ca84e6dc070

SHA256
71e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510

SHA512
b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1
Filesize
3KB

MD5
7b02c62423d08d7c340a530f85261534

SHA1
f57fc70cac8655e1ac75abfcd83d623f83778b89

SHA256
737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf

SHA512
1cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1
Filesize
5KB

MD5
6f10dd9ca31373018e319ba80abb5532

SHA1
1325eab389ec9961120e0cd569b37f566a764fe7

SHA256
79c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d

SHA512
8f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1
Filesize
3KB

MD5
d26c1a56f63d3682da6e676b606894af

SHA1
e18ed1d358dc0026ecf64f49cc5f7b4c687523c3

SHA256
6b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c

SHA512
dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1
Filesize
10KB

MD5
680bbba778a319ba57ccc5c5c9f50c03

SHA1
12705a80f1be125f12a5c6e8511deccdba8bbec6

SHA256
e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019

SHA512
94983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1
Filesize
2KB

MD5
e4eb33335b663fc23aa03ab6ef80cb8d

SHA1
0db1095d82e27ef352d96a8f36ac022f035ce90d

SHA256
dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534

SHA512
4f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1
Filesize
5KB

MD5
3963399fcb03e28453f38d93755795a0

SHA1
384abd9957a9ac16805c36a44bc49de9bf757644

SHA256
a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872

SHA512
5944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
098925a3ca282680221cd87ca383f23c

SHA1
8d404eacc0d38d81632b65ccbf4ce79a0d11901e

SHA256
df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b

SHA512
50403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
098925a3ca282680221cd87ca383f23c

SHA1
8d404eacc0d38d81632b65ccbf4ce79a0d11901e

SHA256
df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b

SHA512
50403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
098925a3ca282680221cd87ca383f23c

SHA1
8d404eacc0d38d81632b65ccbf4ce79a0d11901e

SHA256
df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b

SHA512
50403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
098925a3ca282680221cd87ca383f23c

SHA1
8d404eacc0d38d81632b65ccbf4ce79a0d11901e

SHA256
df05a439e9043d4fe57c34d71ccf2bb3f6b89120f61d9bfafe7692df9aa8503b

SHA512
50403d2e5c776cb53e072936b68fb7a1349d108e9110cc590bfc47869cd784368449b0e2f123803594d32921417267e9024129a776d52040e49aa0e21469dfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp
Filesize
3.1MB

MD5
5199871088e5624536897ecad757f028

SHA1
b9ae6f0b61bffd4452829d1a62040c3fc4dc2f8c

SHA256
4014533c0d92ed68b93a5b5e4285ebb560e8893a08a99d3437b911448c68d9a2

SHA512
12a15c2f1419b41a63958159aea012ab194143daffcfce4efb096867a055729ddec259d43d98e72d617ea2e4d77885298455d80ff208c9e20161ef11a001c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UI84.tmp\WinSCP-5.21.5-Setup.tmp
Filesize
3.1MB

MD5
5199871088e5624536897ecad757f028

SHA1
b9ae6f0b61bffd4452829d1a62040c3fc4dc2f8c

SHA256
4014533c0d92ed68b93a5b5e4285ebb560e8893a08a99d3437b911448c68d9a2

SHA512
12a15c2f1419b41a63958159aea012ab194143daffcfce4efb096867a055729ddec259d43d98e72d617ea2e4d77885298455d80ff208c9e20161ef11a001c4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
memory/560-139-0x0000000000000000-mapping.dmp

Download
memory/1732-142-0x0000000000000000-mapping.dmp

Download
memory/2112-166-0x0000000000D20000-0x00000000027A9000-memory.dmp

Filesize
26.5MB

Download
memory/2112-164-0x0000000000000000-mapping.dmp

Download
memory/2156-135-0x0000000000000000-mapping.dmp

Download
memory/3232-137-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3232-134-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3232-167-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3232-132-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3688-162-0x0000000000D20000-0x00000000027A9000-memory.dmp

Filesize
26.5MB

Download
memory/3688-160-0x0000000000000000-mapping.dmp

Download
memory/4136-158-0x0000000000D20000-0x00000000027A9000-memory.dmp

Filesize
26.5MB

Download
memory/4136-156-0x0000000000000000-mapping.dmp

Download
memory/4632-146-0x0000000000D20000-0x00000000027A9000-memory.dmp

Filesize
26.5MB

Download
memory/4632-144-0x0000000000000000-mapping.dmp

Download