f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9

General

Target

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
Size

361KB
MD5

6d60068e31c6367a2b65155e24b6472a
SHA1

81086560b1f535396be1a20837be382832ddd887
SHA256

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9
SHA512

7b61595c8a23dc60bf3e042281f112d0d3f78f42a72e340751c4dac7736700507939431d3b51238766fe3463c493aac653a832ca8425fce802ddf0ea0ee1ba42
SSDEEP

6144:F7O7EkVevSrpVHXZdGCgVcaRU7JkvmzLDQD2Pz5DTAiIqT7OipGrzU4eGg47:cNVvcCgzU9k2LDQDwzhTjXpct247

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Desktop Window Manager\\dwm.exe\""	dwm.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dwm.exe

Executes dropped EXE 2 IoCs

Processes:

dwm.exedwm.exe

pid process

2984 dwm.exe
2492 dwm.exe

pid	process
2984	dwm.exe
2492	dwm.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe"	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe\Debugger = "nqij.exe"	dwm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\DisableExceptionChainValidation	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	dwm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

Drops file in System32 directory 3 IoCs

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Desktop Window Manager\	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
File created	C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
File opened for modification	C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exedwm.exe

description	pid	process	target process
PID 1156 set thread context of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 2984 set thread context of 2492	2984	dwm.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dwm.exe

pid	process
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe
2492	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

2492 dwm.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

pid process

1980 f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

pid	process
1980	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
Token: SeDebugPrivilege	2984	dwm.exe
Token: SeDebugPrivilege	2492	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dwm.exe

pid process

2492 dwm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exef6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exedwm.exe

description	pid	process	target process
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1156 wrote to memory of 1980	1156	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
PID 1980 wrote to memory of 2984	1980	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	dwm.exe
PID 1980 wrote to memory of 2984	1980	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	dwm.exe
PID 1980 wrote to memory of 2984	1980	f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe
PID 2984 wrote to memory of 2492	2984	dwm.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
"C:\Users\Admin\AppData\Local\Temp\f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe
  "C:\Users\Admin\AppData\Local\Temp\f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe
    "C:\Windows\system32\Desktop Window Manager\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe
      "C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Sets file execution options in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dwm.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe

Filesize
361KB

MD5
6d60068e31c6367a2b65155e24b6472a

SHA1
81086560b1f535396be1a20837be382832ddd887

SHA256
f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9

SHA512
7b61595c8a23dc60bf3e042281f112d0d3f78f42a72e340751c4dac7736700507939431d3b51238766fe3463c493aac653a832ca8425fce802ddf0ea0ee1ba42

Download Submit
C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe

Filesize
361KB

MD5
6d60068e31c6367a2b65155e24b6472a

SHA1
81086560b1f535396be1a20837be382832ddd887

SHA256
f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9

SHA512
7b61595c8a23dc60bf3e042281f112d0d3f78f42a72e340751c4dac7736700507939431d3b51238766fe3463c493aac653a832ca8425fce802ddf0ea0ee1ba42

Download Submit
C:\Windows\SysWOW64\Desktop Window Manager\dwm.exe

Filesize
361KB

MD5
6d60068e31c6367a2b65155e24b6472a

SHA1
81086560b1f535396be1a20837be382832ddd887

SHA256
f6f0eea51380f4970052737e2bb775b0ad47908493b2cec23d8b0e874edb5dc9

SHA512
7b61595c8a23dc60bf3e042281f112d0d3f78f42a72e340751c4dac7736700507939431d3b51238766fe3463c493aac653a832ca8425fce802ddf0ea0ee1ba42

Download Submit
memory/1156-133-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1156-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1156-137-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1980-136-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1980-135-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1980-147-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1980-134-0x0000000000000000-mapping.dmp

Download
memory/1980-151-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2492-142-0x0000000000000000-mapping.dmp

Download
memory/2492-148-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2492-149-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2984-141-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/2984-138-0x0000000000000000-mapping.dmp

Download
memory/2984-146-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads