8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0

General

Target

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
Size

63KB
MD5

450aa454ed5dca712b998868738d5870
SHA1

a26e9aa0d65ec4c439b37a04d1babb364d882812
SHA256

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0
SHA512

ded6917232bda2956244f6783d765247823f524cf4393d8e0d270cd6db2b97e48683794921ee504092a997533466551f94133daf579cee7cd8bf38521baa35ec
SSDEEP

768:AYNnyAQNuAGXBUdh0Xa3idGnFYRRxCHMr+0Wxepji9VIyZEg37P2wKHe:SNYsR/Fzsr+fqji97O3+

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

pgjwpzwykderu.exepgjwpzwykderu.exe

pid process

4988 pgjwpzwykderu.exe
1352 pgjwpzwykderu.exe

pid	process
4988	pgjwpzwykderu.exe
1352	pgjwpzwykderu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Drops startup file 4 IoCs

Processes:

pgjwpzwykderu.exe8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÌÚÑ¶_QQ.lnk	pgjwpzwykderu.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÌÚÑ¶_QQ.lnk	pgjwpzwykderu.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfbpekwducny.lnk	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfbpekwducny.lnk	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Drops file in Program Files directory 64 IoCs

Processes:

pgjwpzwykderu.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	pgjwpzwykderu.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	pgjwpzwykderu.exe

Drops file in Windows directory 64 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exepgjwpzwykderu.exe

description	ioc	process
File opened for modification	C:\Windows\Media\Alarm10.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring06.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File created	C:\Windows\J8VS9SEQFQ.exe	pgjwpzwykderu.exe
File opened for modification	C:\Windows\Media\Alarm03.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Alarm05.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Logoff Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Proximity Connection.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Recycle.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Shutdown.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File created	C:\Windows\umrguc.exe	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\onestop.mid	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Hardware Fail.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Speech Disambiguation.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Ringin.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Alarm04.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\recycle.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\ringout.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Critical Stop.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File created	C:\Windows\J8VS9SEQFQ.lnk	pgjwpzwykderu.exe
File opened for modification	C:\Windows\Media\ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Focus4_48000Hz.raw	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Focus3_48000Hz.raw	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring09.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Battery Low.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Notify Messaging.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Restore.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Startup.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Alarm09.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\chimes.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring08.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Battery Critical.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Logon.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Notify System Generic.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File created	C:\Windows\pgjwpzwykderu.exe	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Focus1_48000Hz.raw	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Hardware Remove.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Notify.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Alarm08.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring03.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring10.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Speech On.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Default.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Feed Discovered.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Menu Command.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Navigation Start.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Alarm02.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\notify.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Error.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Minimize.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Notify Calendar.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Notify Email.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Ringout.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\MoveNext_48000Hz.raw	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring05.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\town.mid	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Pop-up Blocked.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Focus0_48000Hz.raw	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Ring01.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Speech Sleep.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Background.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Hardware Insert.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Information Bar.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exepgjwpzwykderu.exepgjwpzwykderu.exe

pid	process
2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
4988	pgjwpzwykderu.exe
4988	pgjwpzwykderu.exe
1352	pgjwpzwykderu.exe
1352	pgjwpzwykderu.exe
2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	pid	process	target process
PID 2128 wrote to memory of 4988	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe
PID 2128 wrote to memory of 4988	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe
PID 2128 wrote to memory of 4988	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe
PID 2128 wrote to memory of 1352	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe
PID 2128 wrote to memory of 1352	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe
PID 2128 wrote to memory of 1352	2128	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	pgjwpzwykderu.exe

C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
"C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\pgjwpzwykderu.exe
"C:\Windows\pgjwpzwykderu.exe" rb
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\pgjwpzwykderu.exe
"C:\Windows\pgjwpzwykderu.exe" C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\pgjwpzwykderu.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
C:\Windows\pgjwpzwykderu.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
C:\Windows\pgjwpzwykderu.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
memory/1352-135-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads