564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3

General

Target

564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
Size

251KB
MD5

1e126fc925e453598f8950c2557eaac1
SHA1

628d4abc428351161c47215e412c53983ada43ee
SHA256

564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3
SHA512

64938c787fd919fae9c75a91bbf4326ff55293bcb714510474454ce5c1b821288d577bcc71a23dd7c9f3de275ed68aaccc14856442aee405ece852aff6005937
SSDEEP

3072:Mh9j5BuFkx07jzjq8fX11IYKVB6JKKVOw+8H+dYeeF30x+gnL3RuWac1:k9jr0DjuZCSYeeqrzR8q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
324	mscorsvw.exe
580	mscorsvw.exe
1304	OSE.EXE

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\searchindexer.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2190855E-238E-4E9B-88A7-1F368F299C29}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2190855E-238E-4E9B-88A7-1F368F299C29}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1284	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
Token: SeRestorePrivilege	1324	msiexec.exe
Token: SeTakeOwnershipPrivilege	1324	msiexec.exe
Token: SeSecurityPrivilege	1324	msiexec.exe
Token: SeTakeOwnershipPrivilege	1304	OSE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1284	564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe

C:\Users\Admin\AppData\Local\Temp\564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe
"C:\Users\Admin\AppData\Local\Temp\564db1192a4056da01358b1e58d9058df09bf49d070326794cd934cbe519a8c3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:580

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:544

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
304KB

MD5
a926807e5985dd102429a2f8127b220a

SHA1
78a3225ebb62c2c516d2e2bc371e8e43d60ea1d6

SHA256
3dc96433383eb403d8047839d0ff887b4933a52a2f0beed276e00a7984ab04ce

SHA512
06280563a8a8515fffc7d721cb14fec5d9429fb695dbb180898feeb7b885357c9a7cfe5e6c53afc39828fafc7830044ddd6eb71b16a5df93fa55f9d9e0ee87b5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
223KB

MD5
6dfe51837db11bbc7c56fc918d6534ff

SHA1
dcc5a35480b2c59100e432c41fd8851b110738d6

SHA256
dc16099e50f3bbf6ea7e6f0e0e2c400cb6a5660e41f4b165f0e429700b47dd17

SHA512
ad8b3941e22552d6ad64722a932de53a8a0c018e14c728059d99091614b689abcc4ce88e47913fe824498b1829a6d65f226bd2b376af07d42d88f41e22249744

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
223KB

MD5
6dfe51837db11bbc7c56fc918d6534ff

SHA1
dcc5a35480b2c59100e432c41fd8851b110738d6

SHA256
dc16099e50f3bbf6ea7e6f0e0e2c400cb6a5660e41f4b165f0e429700b47dd17

SHA512
ad8b3941e22552d6ad64722a932de53a8a0c018e14c728059d99091614b689abcc4ce88e47913fe824498b1829a6d65f226bd2b376af07d42d88f41e22249744

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
1f1dd8e9b277b1f77560f8b56ca834ac

SHA1
e1945ee90c885770ddf715fdad794854a73ebf1f

SHA256
dbeac31ecf703a42f7102bead3a95dd65687cf57f18d49ef56f1a018255ad157

SHA512
dcadef1a3bc5f6df4b0a265deccbc51f968f01949e458c3abb914740bc4b90605470779cc259dca1819a833608d630cfcdfb801fcc31e0fde025f80cdff95de4

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
184KB

MD5
1e835b0c902d570d1f391cf0a4004aad

SHA1
f5c5413e2b5e82dab972afc9b19a3d7e07109f66

SHA256
358afb6963a1c09239d0ebba86592e4ff14a290979175be0d85742716f258fc5

SHA512
3bde56063548f4726a7dcac4f1b072fa48630f40e256ac73ecaaf539c2cd58c549730fe4dd0747431a2b683bb7e8b80a5fa18ce481b8f9fa9106768bb53887d0

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
254KB

MD5
1f1dd8e9b277b1f77560f8b56ca834ac

SHA1
e1945ee90c885770ddf715fdad794854a73ebf1f

SHA256
dbeac31ecf703a42f7102bead3a95dd65687cf57f18d49ef56f1a018255ad157

SHA512
dcadef1a3bc5f6df4b0a265deccbc51f968f01949e458c3abb914740bc4b90605470779cc259dca1819a833608d630cfcdfb801fcc31e0fde025f80cdff95de4

Download Submit
memory/324-58-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/324-60-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/580-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1284-54-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000001000000-0x0000000001082000-memory.dmp

Filesize
520KB

Download
memory/1284-55-0x0000000001000000-0x0000000001082000-memory.dmp

Filesize
520KB

Download
memory/1304-65-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/1304-66-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/1304-70-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/1324-63-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing