3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

General

Target

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Size

619KB
MD5

055e822885e9b0971b4e87b0ebfa4ab6
SHA1

c23f1fe682b87478bd3e327dd499960adf412aef
SHA256

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
SHA512

85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe
SSDEEP

12288:YkA5CuXTZVMUX8+fdS+D3niMcH+GjXyNrZWsg:Y15CuDZVMethD3i9HVXU9g

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exeAcctres.exeAcctres.exeIpOverUsbSvrc.exe

pid process

5032 IpOverUsbSvrc.exe
2688 Acctres.exe
2100 Acctres.exe
3812 IpOverUsbSvrc.exe

pid	process
5032	IpOverUsbSvrc.exe
2688	Acctres.exe
2100	Acctres.exe
3812	IpOverUsbSvrc.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeAcctres.exeAcctres.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Acctres.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Acctres.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 bot.whatismyipaddress.com
33 bot.whatismyipaddress.com

flow	ioc
19	bot.whatismyipaddress.com
33	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeAcctres.exe

description	pid	process	target process
PID 4328 set thread context of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 2688 set thread context of 2100	2688	Acctres.exe	Acctres.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe

pid	process
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exedw20.exeIpOverUsbSvrc.exeAcctres.exeAcctres.exedw20.exeIpOverUsbSvrc.exe

description	pid	process
Token: SeDebugPrivilege	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Token: SeDebugPrivilege	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
Token: SeRestorePrivilege	3176	dw20.exe
Token: SeBackupPrivilege	3176	dw20.exe
Token: SeBackupPrivilege	3176	dw20.exe
Token: SeBackupPrivilege	3176	dw20.exe
Token: SeBackupPrivilege	3176	dw20.exe
Token: SeDebugPrivilege	5032	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	2688	Acctres.exe
Token: SeDebugPrivilege	2100	Acctres.exe
Token: SeBackupPrivilege	4340	dw20.exe
Token: SeBackupPrivilege	4340	dw20.exe
Token: SeDebugPrivilege	3812	IpOverUsbSvrc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeAcctres.exe

pid process

3060 3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
2100 Acctres.exe

pid	process
3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
2100	Acctres.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exeIpOverUsbSvrc.exeAcctres.exeAcctres.exe

description	pid	process	target process
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 4328 wrote to memory of 3060	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
PID 3060 wrote to memory of 4808	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 3060 wrote to memory of 4808	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 3060 wrote to memory of 4808	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	cmd.exe
PID 4328 wrote to memory of 5032	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 4328 wrote to memory of 5032	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 4328 wrote to memory of 5032	4328	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	IpOverUsbSvrc.exe
PID 3060 wrote to memory of 3176	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 3060 wrote to memory of 3176	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 3060 wrote to memory of 3176	3060	3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe	dw20.exe
PID 5032 wrote to memory of 2688	5032	IpOverUsbSvrc.exe	Acctres.exe
PID 5032 wrote to memory of 2688	5032	IpOverUsbSvrc.exe	Acctres.exe
PID 5032 wrote to memory of 2688	5032	IpOverUsbSvrc.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 2100	2688	Acctres.exe	Acctres.exe
PID 2688 wrote to memory of 3812	2688	Acctres.exe	IpOverUsbSvrc.exe
PID 2688 wrote to memory of 3812	2688	Acctres.exe	IpOverUsbSvrc.exe
PID 2688 wrote to memory of 3812	2688	Acctres.exe	IpOverUsbSvrc.exe
PID 2100 wrote to memory of 3660	2100	Acctres.exe	cmd.exe
PID 2100 wrote to memory of 3660	2100	Acctres.exe	cmd.exe
PID 2100 wrote to memory of 3660	2100	Acctres.exe	cmd.exe
PID 2100 wrote to memory of 4340	2100	Acctres.exe	dw20.exe
PID 2100 wrote to memory of 4340	2100	Acctres.exe	dw20.exe
PID 2100 wrote to memory of 4340	2100	Acctres.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
"C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe
"C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe"
3⤵
- Drops startup file
PID:4808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2472
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
5⤵
- Drops startup file
PID:3660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2392
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

Filesize
619KB

MD5
055e822885e9b0971b4e87b0ebfa4ab6

SHA1
c23f1fe682b87478bd3e327dd499960adf412aef

SHA256
3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86

SHA512
85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe

Filesize
17KB

MD5
fd03ff313a655e0b59dce81044bc6341

SHA1
0fa0dc26876f636956c3de82685bdbbc8ad3ef86

SHA256
1f1c8c1458eaee47a448513db52ddb536406146d48793c3c24f41eb72b13cec9

SHA512
00fdf54987cb8abd0c68619e02991aeb50e5509ea56b0e5fa613ac29fddcc57c585cd0e5be055cb5c6563828b6a631666fe6e7004dada7607ddd903659264ddd

Download Submit
memory/2100-164-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2100-153-0x0000000000000000-mapping.dmp

Download
memory/2100-161-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2688-146-0x0000000000000000-mapping.dmp

Download
memory/2688-149-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/2688-150-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3060-143-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3060-134-0x0000000000000000-mapping.dmp

Download
memory/3060-145-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3060-135-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3060-140-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3176-142-0x0000000000000000-mapping.dmp

Download
memory/3660-160-0x0000000000000000-mapping.dmp

Download
memory/3812-165-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3812-156-0x0000000000000000-mapping.dmp

Download
memory/3812-162-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4328-133-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4328-151-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4328-132-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4340-163-0x0000000000000000-mapping.dmp

Download
memory/4808-136-0x0000000000000000-mapping.dmp

Download
memory/5032-152-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download
memory/5032-144-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5032-141-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads