Analysis
-
max time kernel
159s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
Resource
win7-20220812-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe
-
Size
653KB
-
MD5
88049ef487b421c89a7c57f7cd030747
-
SHA1
31e8a574df10db1650a47fb7f95f69dfa89ec72a
-
SHA256
1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173
-
SHA512
45938d26e9b5778aee4b2e53d44daed85137ebacd536d333bc4c01e7651497ece758b2123df6db9998073ce59c55955ffe72acfb0f75aedb2b0f4b72c5ef5f87
-
SSDEEP
12288:V9qry/CuKAUokVqrT+jjJK2B8qCYm4xrlVHs82:+rKeVUT+jjJb8qCGZVHo
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 9 IoCs
resource yara_rule behavioral2/memory/1156-137-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/1156-139-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/1156-142-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/1156-153-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/1156-160-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/3184-172-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/3184-179-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/3184-188-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral2/memory/4780-194-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer -
Modifies firewall policy service 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" AppLaunch.exe -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1864-158-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/1864-159-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/1732-186-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/1732-187-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral2/memory/1864-158-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/1864-159-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/1732-186-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/1732-187-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
resource yara_rule behavioral2/memory/1156-140-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/4712-145-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/1156-147-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/4712-148-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4712-149-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4712-150-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/1156-152-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/1864-155-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1864-157-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1864-158-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1864-159-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1156-161-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/3184-166-0x0000000002B10000-0x0000000003B9E000-memory.dmp upx behavioral2/memory/3184-176-0x0000000002B10000-0x0000000003B9E000-memory.dmp upx behavioral2/memory/1628-177-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3184-180-0x0000000002B10000-0x0000000003B9E000-memory.dmp upx behavioral2/memory/1732-185-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1732-186-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1732-187-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3184-189-0x0000000002B10000-0x0000000003B9E000-memory.dmp upx behavioral2/memory/4780-195-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral2/memory/3928-201-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3928-202-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3928-203-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4780-204-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AppLaunch.exe -
Enumerates connected drives 3 TTPs 39 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: AppLaunch.exe File opened (read-only) \??\Z: AppLaunch.exe File opened (read-only) \??\Q: AppLaunch.exe File opened (read-only) \??\V: AppLaunch.exe File opened (read-only) \??\Z: AppLaunch.exe File opened (read-only) \??\N: AppLaunch.exe File opened (read-only) \??\Q: AppLaunch.exe File opened (read-only) \??\U: AppLaunch.exe File opened (read-only) \??\M: AppLaunch.exe File opened (read-only) \??\E: AppLaunch.exe File opened (read-only) \??\M: AppLaunch.exe File opened (read-only) \??\X: AppLaunch.exe File opened (read-only) \??\P: AppLaunch.exe File opened (read-only) \??\W: AppLaunch.exe File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\I: AppLaunch.exe File opened (read-only) \??\O: AppLaunch.exe File opened (read-only) \??\Y: AppLaunch.exe File opened (read-only) \??\E: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\R: AppLaunch.exe File opened (read-only) \??\T: AppLaunch.exe File opened (read-only) \??\F: AppLaunch.exe File opened (read-only) \??\L: AppLaunch.exe File opened (read-only) \??\O: AppLaunch.exe File opened (read-only) \??\L: AppLaunch.exe File opened (read-only) \??\X: AppLaunch.exe File opened (read-only) \??\K: AppLaunch.exe File opened (read-only) \??\Y: AppLaunch.exe File opened (read-only) \??\K: AppLaunch.exe File opened (read-only) \??\G: AppLaunch.exe File opened (read-only) \??\W: AppLaunch.exe File opened (read-only) \??\P: AppLaunch.exe File opened (read-only) \??\S: AppLaunch.exe File opened (read-only) \??\U: AppLaunch.exe File opened (read-only) \??\J: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe File opened (read-only) \??\N: AppLaunch.exe File opened (read-only) \??\H: AppLaunch.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf AppLaunch.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 736 set thread context of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 1156 set thread context of 4712 1156 AppLaunch.exe 92 PID 1156 set thread context of 1864 1156 AppLaunch.exe 95 PID 736 set thread context of 3184 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 97 PID 3184 set thread context of 1628 3184 AppLaunch.exe 98 PID 3184 set thread context of 1732 3184 AppLaunch.exe 106 PID 736 set thread context of 4780 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 109 -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe AppLaunch.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe AppLaunch.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 1156 AppLaunch.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 3184 AppLaunch.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe Token: SeDebugPrivilege 1156 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1156 AppLaunch.exe 3184 AppLaunch.exe 4780 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 736 wrote to memory of 3864 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 87 PID 736 wrote to memory of 3864 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 87 PID 736 wrote to memory of 3864 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 87 PID 736 wrote to memory of 2484 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 89 PID 736 wrote to memory of 2484 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 89 PID 736 wrote to memory of 2484 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 89 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 736 wrote to memory of 1156 736 1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe 91 PID 1156 wrote to memory of 792 1156 AppLaunch.exe 8 PID 1156 wrote to memory of 800 1156 AppLaunch.exe 13 PID 1156 wrote to memory of 1016 1156 AppLaunch.exe 9 PID 1156 wrote to memory of 2708 1156 AppLaunch.exe 19 PID 1156 wrote to memory of 2816 1156 AppLaunch.exe 51 PID 1156 wrote to memory of 2864 1156 AppLaunch.exe 50 PID 1156 wrote to memory of 764 1156 AppLaunch.exe 48 PID 1156 wrote to memory of 2892 1156 AppLaunch.exe 47 PID 1156 wrote to memory of 3256 1156 AppLaunch.exe 46 PID 1156 wrote to memory of 3344 1156 AppLaunch.exe 45 PID 1156 wrote to memory of 3412 1156 AppLaunch.exe 20 PID 1156 wrote to memory of 3488 1156 AppLaunch.exe 44 PID 1156 wrote to memory of 3652 1156 AppLaunch.exe 43 PID 1156 wrote to memory of 4628 1156 AppLaunch.exe 40 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 4104 1156 AppLaunch.exe 23 PID 1156 wrote to memory of 736 1156 AppLaunch.exe 83 PID 1156 wrote to memory of 736 1156 AppLaunch.exe 83 PID 1156 wrote to memory of 1216 1156 AppLaunch.exe 84 PID 1156 wrote to memory of 3864 1156 AppLaunch.exe 87 PID 1156 wrote to memory of 3864 1156 AppLaunch.exe 87 PID 1156 wrote to memory of 3688 1156 AppLaunch.exe 88 PID 1156 wrote to memory of 4712 1156 AppLaunch.exe 92 PID 1156 wrote to memory of 792 1156 AppLaunch.exe 8 PID 1156 wrote to memory of 800 1156 AppLaunch.exe 13 PID 1156 wrote to memory of 1016 1156 AppLaunch.exe 9 PID 1156 wrote to memory of 2708 1156 AppLaunch.exe 19 PID 1156 wrote to memory of 2816 1156 AppLaunch.exe 51 PID 1156 wrote to memory of 2864 1156 AppLaunch.exe 50 PID 1156 wrote to memory of 764 1156 AppLaunch.exe 48 PID 1156 wrote to memory of 2892 1156 AppLaunch.exe 47 PID 1156 wrote to memory of 3256 1156 AppLaunch.exe 46 PID 1156 wrote to memory of 3344 1156 AppLaunch.exe 45 PID 1156 wrote to memory of 3412 1156 AppLaunch.exe 20 PID 1156 wrote to memory of 3488 1156 AppLaunch.exe 44 PID 1156 wrote to memory of 3652 1156 AppLaunch.exe 43 PID 1156 wrote to memory of 4628 1156 AppLaunch.exe 40 PID 1156 wrote to memory of 4104 1156 AppLaunch.exe 23 PID 1156 wrote to memory of 1216 1156 AppLaunch.exe 84 PID 1156 wrote to memory of 3688 1156 AppLaunch.exe 88 PID 1156 wrote to memory of 792 1156 AppLaunch.exe 8 PID 1156 wrote to memory of 800 1156 AppLaunch.exe 13 PID 1156 wrote to memory of 1016 1156 AppLaunch.exe 9 PID 1156 wrote to memory of 2708 1156 AppLaunch.exe 19 PID 1156 wrote to memory of 2816 1156 AppLaunch.exe 51
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2708
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3412
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4104
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3652
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3488
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3344
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe"C:\Users\Admin\AppData\Local\Temp\1278d28900aa2365dee77d6e421c76175c653b624e48521ace51c7b6af3c4173.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\CMD.exe"CMD"3⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3688
-
-
-
C:\Windows\SysWOW64\CMD.exe"CMD"3⤵PID:2484
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\odcg48XwTe.ini"4⤵PID:4712
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\6VMZm1TVMP.ini"4⤵
- Accesses Microsoft Outlook accounts
PID:1864
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\5H9atAvHxh.ini"4⤵PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\P0XynO0pZD.ini"4⤵
- Accesses Microsoft Outlook accounts
PID:1732
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Suspicious use of SetWindowsHookEx
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe/scomma "C:\Users\Admin\AppData\Local\Temp\wjiDArEAyg.ini"4⤵PID:3928
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1216
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1248
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4152
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:432
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
256B
MD5938435767fa934f6939b66b7303b7583
SHA170794f1fdd4b7264bbc4d85eb91825400b1d97b0
SHA256d2273420eb38c5f24e0b8e473e8e408999ad6196210da4906b4d87b2a60acec7
SHA5121b927acce735c6eb69a5ebe480d7e92d6ac55d05bbb6c3f4260bc03fe92ec404ae1de9c63214e54c466e5cb99a0505ab45af05c54473a05fb19d1b1f78770eec
-
Filesize
100KB
MD582df59b4d44e651c65e6fcf7e9e228bc
SHA1ef09a0df488d49e338db95854c0d70fcf6327254
SHA2561e4228fd92f807974d5ae80c5218c7d0f57b1052e751bfeeca2f30e47920ba44
SHA5120950338d616842e0a370edc7b2522d65f9d83e5112acf99a4cca6684f14eb3d5d651087a9d24cc5c93ca1abdcb014d3f16d4ab1c4f0f83fee68c7b43400dd2d5