Analysis
-
max time kernel
169s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
Resource
win7-20220812-en
General
-
Target
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe
-
Size
503KB
-
MD5
71d29fb4a68ef4553d6452388c6e158a
-
SHA1
6e23f93e2289211995ff2e028eb7487e8e8738a7
-
SHA256
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
-
SHA512
b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
SSDEEP
12288:luqP9L79Hef1kBVvRhQePRPN9qmNuetx:lu0lefEVbHPRPqE/tx
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
bruda00
Signatures
-
NirSoft WebBrowserPassView 12 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmp WebBrowserPassView behavioral1/memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmp WebBrowserPassView behavioral1/memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmp WebBrowserPassView behavioral1/memory/1784-63-0x00000000004669BE-mapping.dmp WebBrowserPassView behavioral1/memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmp WebBrowserPassView behavioral1/memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmp WebBrowserPassView behavioral1/memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1560-82-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1640-101-0x00000000004669BE-mapping.dmp WebBrowserPassView -
Nirsoft 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmp Nirsoft behavioral1/memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmp Nirsoft behavioral1/memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmp Nirsoft behavioral1/memory/1784-63-0x00000000004669BE-mapping.dmp Nirsoft behavioral1/memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmp Nirsoft behavioral1/memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmp Nirsoft behavioral1/memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1560-82-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1640-101-0x00000000004669BE-mapping.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
IpOverUsbSvrc.exeatiesrx.exeatiesrx.exeIpOverUsbSvrc.exepid process 1936 IpOverUsbSvrc.exe 1980 atiesrx.exe 1640 atiesrx.exe 1212 IpOverUsbSvrc.exe -
Loads dropped DLL 3 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exepid process 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1936 IpOverUsbSvrc.exe 1980 atiesrx.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe" IpOverUsbSvrc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeatiesrx.exedescription pid process target process PID 1076 set thread context of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1784 set thread context of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1980 set thread context of 1640 1980 atiesrx.exe atiesrx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exepid process 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1936 IpOverUsbSvrc.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1936 IpOverUsbSvrc.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 1936 IpOverUsbSvrc.exe 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exeIpOverUsbSvrc.exedescription pid process Token: SeDebugPrivilege 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe Token: SeDebugPrivilege 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe Token: SeDebugPrivilege 1936 IpOverUsbSvrc.exe Token: SeDebugPrivilege 1980 atiesrx.exe Token: SeDebugPrivilege 1212 IpOverUsbSvrc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exepid process 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exeIpOverUsbSvrc.exeatiesrx.exedescription pid process target process PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1784 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe PID 1076 wrote to memory of 1936 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe IpOverUsbSvrc.exe PID 1076 wrote to memory of 1936 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe IpOverUsbSvrc.exe PID 1076 wrote to memory of 1936 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe IpOverUsbSvrc.exe PID 1076 wrote to memory of 1936 1076 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe IpOverUsbSvrc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1784 wrote to memory of 1560 1784 0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe vbc.exe PID 1936 wrote to memory of 1980 1936 IpOverUsbSvrc.exe atiesrx.exe PID 1936 wrote to memory of 1980 1936 IpOverUsbSvrc.exe atiesrx.exe PID 1936 wrote to memory of 1980 1936 IpOverUsbSvrc.exe atiesrx.exe PID 1936 wrote to memory of 1980 1936 IpOverUsbSvrc.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1640 1980 atiesrx.exe atiesrx.exe PID 1980 wrote to memory of 1212 1980 atiesrx.exe IpOverUsbSvrc.exe PID 1980 wrote to memory of 1212 1980 atiesrx.exe IpOverUsbSvrc.exe PID 1980 wrote to memory of 1212 1980 atiesrx.exe IpOverUsbSvrc.exe PID 1980 wrote to memory of 1212 1980 atiesrx.exe IpOverUsbSvrc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"C:\Users\Admin\AppData\Local\Temp\0089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exeFilesize
503KB
MD571d29fb4a68ef4553d6452388c6e158a
SHA16e23f93e2289211995ff2e028eb7487e8e8738a7
SHA2560089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
SHA512b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exeFilesize
503KB
MD571d29fb4a68ef4553d6452388c6e158a
SHA16e23f93e2289211995ff2e028eb7487e8e8738a7
SHA2560089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
SHA512b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exeFilesize
503KB
MD571d29fb4a68ef4553d6452388c6e158a
SHA16e23f93e2289211995ff2e028eb7487e8e8738a7
SHA2560089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
SHA512b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exeFilesize
12KB
MD5179a91e54fb0091a20e15ba65027f99e
SHA1169194c4f9930bc55c59a6335a765f010b6100f2
SHA256fc091f2efb617d1cc4d8702ab14f33cd17015c2fc9786a7a886e2d34e8ac5468
SHA512987e9762d9a9f2a0a0744e3af8a6879f0562ab2a8d54283a83356049f4c7d6b47edcd1cd9dc0749201a195c63dff7e408b54fa05ee733b56633e90eff4530956
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\atiesrx.exeFilesize
503KB
MD571d29fb4a68ef4553d6452388c6e158a
SHA16e23f93e2289211995ff2e028eb7487e8e8738a7
SHA2560089bf4da9e06721fcecba34ad5e29075e5fa07ed4d2df02b166d6434658e35c
SHA512b2ad738d1a1537a70142896bc3b8253df83341c9fc16d14e340aa6e45f74fe5567a36babea684c1be2183e3af7b906d02d70bc9fc3d98e33d3dcb39c7d25052f
-
memory/1076-93-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1076-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1076-56-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1076-55-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1212-114-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1212-115-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1212-109-0x0000000000000000-mapping.dmp
-
memory/1560-91-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1560-87-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1560-80-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1560-82-0x0000000000442628-mapping.dmp
-
memory/1560-89-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1640-101-0x00000000004669BE-mapping.dmp
-
memory/1640-113-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1784-67-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-65-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-57-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-58-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-76-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1784-60-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-61-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-62-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1784-74-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1784-63-0x00000000004669BE-mapping.dmp
-
memory/1936-70-0x0000000000000000-mapping.dmp
-
memory/1936-94-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1936-75-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1936-77-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1980-88-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1980-92-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1980-81-0x0000000000000000-mapping.dmp