3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd

General

Target

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Size

360KB
MD5

3108db8b571e4e9ab936f987687356c6
SHA1

b19d6c7ff9a62f070708c3a2cdece6cf56d4f152
SHA256

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd
SHA512

17bf722f145dc74db3dd6f4127dcf5f94828fda93532b1bc44480aa6941300ee20d24e3323e21a728445a20b9d676f7565f2c08f0488291aed369392ac3d2765
SSDEEP

6144:NllKyqL6eabhTG9myTZeXojfBmHc2pOjThMlqesmOM7Pprl4bbNFqeQTA1cHxL6:NllfbVHceXEQpOjkqbmOM1rlibNzQs1U

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe\""	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Executes dropped EXE 1 IoCs

Processes:

win32.exe

pid process

1448 win32.exe

pid	process
1448	win32.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe\DisableExceptionChainValidation	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "nqij.exe"	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
File created	C:\Windows\assembly\Desktop.ini	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Drops file in System32 directory 3 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows Services\	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
File created	C:\Windows\SysWOW64\Windows Services\win32.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
File opened for modification	C:\Windows\SysWOW64\Windows Services\win32.exe	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Drops file in Windows directory 3 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
File created	C:\Windows\assembly\Desktop.ini	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

pid	process
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

pid process

4972 3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

win32.exe3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	pid	process
Token: SeDebugPrivilege	1448	win32.exe
Token: SeDebugPrivilege	4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe

description	pid	process	target process
PID 4972 wrote to memory of 1448	4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe	win32.exe
PID 4972 wrote to memory of 1448	4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe	win32.exe
PID 4972 wrote to memory of 1448	4972	3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe	win32.exe

C:\Users\Admin\AppData\Local\Temp\3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe
"C:\Users\Admin\AppData\Local\Temp\3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\Windows Services\win32.exe
"C:\Windows\system32\Windows Services\win32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windows Services\win32.exe

Filesize
360KB

MD5
3108db8b571e4e9ab936f987687356c6

SHA1
b19d6c7ff9a62f070708c3a2cdece6cf56d4f152

SHA256
3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd

SHA512
17bf722f145dc74db3dd6f4127dcf5f94828fda93532b1bc44480aa6941300ee20d24e3323e21a728445a20b9d676f7565f2c08f0488291aed369392ac3d2765

Download Submit
C:\Windows\SysWOW64\Windows Services\win32.exe

Filesize
360KB

MD5
3108db8b571e4e9ab936f987687356c6

SHA1
b19d6c7ff9a62f070708c3a2cdece6cf56d4f152

SHA256
3149ea07eb8cdb88a0e40b403b924414d079fa80ba3bf99e3c32ed54ac74bfcd

SHA512
17bf722f145dc74db3dd6f4127dcf5f94828fda93532b1bc44480aa6941300ee20d24e3323e21a728445a20b9d676f7565f2c08f0488291aed369392ac3d2765

Download Submit
memory/1448-134-0x0000000000000000-mapping.dmp

Download
memory/1448-137-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-132-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download
memory/4972-133-0x0000000075140000-0x00000000756F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads