6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9

Analysis

max time kernel
155s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
Size

361KB
MD5

528d5072eb08c4cc86e0d39da96f42a0
SHA1

ffd2bb8a4bc6ba31ca2c08fc325f37cc853bb80c
SHA256

6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9
SHA512

1e8a6bec2ffeaf50d835fa324e4529cf6c64e84de38658a19860aa9c418a38683d211e118dc47027b8ef00698bf12f415a45369d3af41dbcaa6a44097e3f4a2a
SSDEEP

6144:VflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:VflfAsiVGjSGecvX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 4904 created 3188	4904	svchost.exe	CreateProcess.exe
PID 4904 created 1352	4904	svchost.exe	CreateProcess.exe
PID 4904 created 4668	4904	svchost.exe	CreateProcess.exe
PID 4904 created 1988	4904	svchost.exe	CreateProcess.exe
PID 4904 created 3960	4904	svchost.exe	CreateProcess.exe
PID 4904 created 4380	4904	svchost.exe	CreateProcess.exe

Executes dropped EXE 12 IoCs

Processes:

zurmkecwuomhezxr.exeCreateProcess.exeidsnkfdxvp.exeCreateProcess.exeCreateProcess.exei_idsnkfdxvp.exeCreateProcess.exevtnlfdyvqn.exeCreateProcess.exeCreateProcess.exei_vtnlfdyvqn.exeCreateProcess.exe

pid	process
1664	zurmkecwuomhezxr.exe
3188	CreateProcess.exe
1712	idsnkfdxvp.exe
1352	CreateProcess.exe
4668	CreateProcess.exe
4532	i_idsnkfdxvp.exe
1988	CreateProcess.exe
2328	vtnlfdyvqn.exe
3960	CreateProcess.exe
4380	CreateProcess.exe
4648	i_vtnlfdyvqn.exe
4104	CreateProcess.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1512 ipconfig.exe
2204 ipconfig.exe

pid	process
1512	ipconfig.exe
2204	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000cc45d2286d535c418fc029c5b84b4e1c0edeea16ec203a4f96338546b69390a5000000000e800000000200002000000014ac9c041b83f2d97fd02167130d1123f56ae0629261d7539b875d05422b37ea2000000040c5c8d914d591ae9a92ddcc1780a9c88dc6e6d0d17b0dbaeef5509936d06015400000002a5d79984694e77a2be955f5fbf738bb4d6049339ebe805164843a081b284c3839d021c5487113e4f51bf3d7ac8bdbdcad34053eed111edfd5678ef12b268a6d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998407"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40bcf53387ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000006225b0bccbc9a7a75c64c47495fe80143951d059d8d8be729dabc90b3009e8d1000000000e8000000002000020000000ac48f218e588b9c59111957531992cf71371b496207d1fdc1b9f3bab3de27f7720000000f0cd6d5ed09ffddf6429f555bee7a4ba137762e6f76a39f08011bf4f2ff5cf94400000001ffb313ff25a51666a5f04bb897d75268a265cc5423429004487b166ddb29ba61a85602b8788453a46736ec4d31adbb2770971feab84281943c30b2de17f32b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{51E03385-6B7A-11ED-919F-7295FC24CA51} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7095153387ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "877992100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998407"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376005864"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "877992100"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exezurmkecwuomhezxr.exe

pid	process
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
1664	zurmkecwuomhezxr.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

664
664
664

pid	process
664
664
664

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exei_idsnkfdxvp.exei_vtnlfdyvqn.exe

description	pid	process
Token: SeTcbPrivilege	4904	svchost.exe
Token: SeTcbPrivilege	4904	svchost.exe
Token: SeDebugPrivilege	4532	i_idsnkfdxvp.exe
Token: SeDebugPrivilege	4648	i_vtnlfdyvqn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3316 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3316 iexplore.exe
3316 iexplore.exe
4768 IEXPLORE.EXE
4768 IEXPLORE.EXE
4768 IEXPLORE.EXE
4768 IEXPLORE.EXE

pid	process
3316	iexplore.exe

pid	process
3316	iexplore.exe
3316	iexplore.exe
4768	IEXPLORE.EXE
4768	IEXPLORE.EXE
4768	IEXPLORE.EXE
4768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exeiexplore.exezurmkecwuomhezxr.exesvchost.exeidsnkfdxvp.exevtnlfdyvqn.exe

description	pid	process	target process
PID 976 wrote to memory of 1664	976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe	zurmkecwuomhezxr.exe
PID 976 wrote to memory of 1664	976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe	zurmkecwuomhezxr.exe
PID 976 wrote to memory of 1664	976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe	zurmkecwuomhezxr.exe
PID 976 wrote to memory of 3316	976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe	iexplore.exe
PID 976 wrote to memory of 3316	976	6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe	iexplore.exe
PID 3316 wrote to memory of 4768	3316	iexplore.exe	IEXPLORE.EXE
PID 3316 wrote to memory of 4768	3316	iexplore.exe	IEXPLORE.EXE
PID 3316 wrote to memory of 4768	3316	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 3188	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 3188	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 3188	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 4904 wrote to memory of 1712	4904	svchost.exe	idsnkfdxvp.exe
PID 4904 wrote to memory of 1712	4904	svchost.exe	idsnkfdxvp.exe
PID 4904 wrote to memory of 1712	4904	svchost.exe	idsnkfdxvp.exe
PID 1712 wrote to memory of 1352	1712	idsnkfdxvp.exe	CreateProcess.exe
PID 1712 wrote to memory of 1352	1712	idsnkfdxvp.exe	CreateProcess.exe
PID 1712 wrote to memory of 1352	1712	idsnkfdxvp.exe	CreateProcess.exe
PID 4904 wrote to memory of 1512	4904	svchost.exe	ipconfig.exe
PID 4904 wrote to memory of 1512	4904	svchost.exe	ipconfig.exe
PID 1664 wrote to memory of 4668	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4668	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4668	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 4904 wrote to memory of 4532	4904	svchost.exe	i_idsnkfdxvp.exe
PID 4904 wrote to memory of 4532	4904	svchost.exe	i_idsnkfdxvp.exe
PID 4904 wrote to memory of 4532	4904	svchost.exe	i_idsnkfdxvp.exe
PID 1664 wrote to memory of 1988	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 1988	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 1988	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 4904 wrote to memory of 2328	4904	svchost.exe	vtnlfdyvqn.exe
PID 4904 wrote to memory of 2328	4904	svchost.exe	vtnlfdyvqn.exe
PID 4904 wrote to memory of 2328	4904	svchost.exe	vtnlfdyvqn.exe
PID 2328 wrote to memory of 3960	2328	vtnlfdyvqn.exe	CreateProcess.exe
PID 2328 wrote to memory of 3960	2328	vtnlfdyvqn.exe	CreateProcess.exe
PID 2328 wrote to memory of 3960	2328	vtnlfdyvqn.exe	CreateProcess.exe
PID 4904 wrote to memory of 2204	4904	svchost.exe	ipconfig.exe
PID 4904 wrote to memory of 2204	4904	svchost.exe	ipconfig.exe
PID 1664 wrote to memory of 4380	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4380	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4380	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 4904 wrote to memory of 4648	4904	svchost.exe	i_vtnlfdyvqn.exe
PID 4904 wrote to memory of 4648	4904	svchost.exe	i_vtnlfdyvqn.exe
PID 4904 wrote to memory of 4648	4904	svchost.exe	i_vtnlfdyvqn.exe
PID 1664 wrote to memory of 4104	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4104	1664	zurmkecwuomhezxr.exe	CreateProcess.exe
PID 1664 wrote to memory of 4104	1664	zurmkecwuomhezxr.exe	CreateProcess.exe

C:\Users\Admin\AppData\Local\Temp\6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe
"C:\Users\Admin\AppData\Local\Temp\6f83b817a7e2576da05cfee40f4842a0deaee5f63b8cc8efe79bda56a9fe0ed9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Temp\zurmkecwuomhezxr.exe
C:\Temp\zurmkecwuomhezxr.exe run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\idsnkfdxvp.exe ups_run
3⤵
- Executes dropped EXE
PID:3188

C:\Temp\idsnkfdxvp.exe
C:\Temp\idsnkfdxvp.exe ups_run
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
5⤵
- Executes dropped EXE
PID:1352

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
6⤵
- Gathers network information
PID:1512

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_idsnkfdxvp.exe ups_ins
3⤵
- Executes dropped EXE
PID:4668

C:\Temp\i_idsnkfdxvp.exe
C:\Temp\i_idsnkfdxvp.exe ups_ins
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\vtnlfdyvqn.exe ups_run
3⤵
- Executes dropped EXE
PID:1988

C:\Temp\vtnlfdyvqn.exe
C:\Temp\vtnlfdyvqn.exe ups_run
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
5⤵
- Executes dropped EXE
PID:3960

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
6⤵
- Gathers network information
PID:2204

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\i_vtnlfdyvqn.exe ups_ins
3⤵
- Executes dropped EXE
PID:4380

C:\Temp\i_vtnlfdyvqn.exe
C:\Temp\i_vtnlfdyvqn.exe ups_ins
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\Temp\mgezwrojhb.exe ups_run
3⤵
- Executes dropped EXE
PID:4104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3316 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
C:\Temp\i_idsnkfdxvp.exe

Filesize
361KB

MD5
59bec8d8ea6591082b325f8be7d96f18

SHA1
2573643299f4baadea5f02d4c012361e0ba62195

SHA256
df64ec2bab55c4c031ac60c4e2cf276a7bd0787fc2e5ad515f62a449016b2ffe

SHA512
8d0c84ffd06b9d5b417509951133c3c1f3818edbba03c18fb7e30e294734754b7ddfca6ab015fa5a23355e28e51200ca29890fd08d05f1b03c56df459b57aaf3

Download Submit
C:\Temp\i_idsnkfdxvp.exe

Filesize
361KB

MD5
59bec8d8ea6591082b325f8be7d96f18

SHA1
2573643299f4baadea5f02d4c012361e0ba62195

SHA256
df64ec2bab55c4c031ac60c4e2cf276a7bd0787fc2e5ad515f62a449016b2ffe

SHA512
8d0c84ffd06b9d5b417509951133c3c1f3818edbba03c18fb7e30e294734754b7ddfca6ab015fa5a23355e28e51200ca29890fd08d05f1b03c56df459b57aaf3

Download Submit
C:\Temp\i_vtnlfdyvqn.exe

Filesize
361KB

MD5
be9e471c0f21c4e0557eb9c34fc97ac2

SHA1
05c9d358db499f4f7a7a1330e6b58b844f0aaee8

SHA256
ee250070a959ba2ff1e345c8883151fe8a59304104554f80545b144eb1cb9558

SHA512
4b7864b6857a8413d570a429a703d0f3f85207cc1ab050e6b426f60909b024bbd498f8086809d6436621168d7baefd19589711b334227bf22c0f7355eef7a9e5

Download Submit
C:\Temp\i_vtnlfdyvqn.exe

Filesize
361KB

MD5
be9e471c0f21c4e0557eb9c34fc97ac2

SHA1
05c9d358db499f4f7a7a1330e6b58b844f0aaee8

SHA256
ee250070a959ba2ff1e345c8883151fe8a59304104554f80545b144eb1cb9558

SHA512
4b7864b6857a8413d570a429a703d0f3f85207cc1ab050e6b426f60909b024bbd498f8086809d6436621168d7baefd19589711b334227bf22c0f7355eef7a9e5

Download Submit
C:\Temp\idsnkfdxvp.exe

Filesize
361KB

MD5
6892016319b1d7fe00cf3471ef3e445f

SHA1
70e4dd40ca64d1d9d16aa2d8a1d02ac52d7a53b9

SHA256
a560b6bc05c3bb714d1eb039594f8a4849f23c9e21049c9ba8a84e5ebeeb8fc5

SHA512
fb913b78dd7215a55d39f65060a87f69aa6f0174cf0f7e76eae2fe95a3eb3413aa4a3f1ba8ead8e20d2b761a0b55fa0550744403728686243f842caf83c84abd

Download Submit
C:\Temp\idsnkfdxvp.exe

Filesize
361KB

MD5
6892016319b1d7fe00cf3471ef3e445f

SHA1
70e4dd40ca64d1d9d16aa2d8a1d02ac52d7a53b9

SHA256
a560b6bc05c3bb714d1eb039594f8a4849f23c9e21049c9ba8a84e5ebeeb8fc5

SHA512
fb913b78dd7215a55d39f65060a87f69aa6f0174cf0f7e76eae2fe95a3eb3413aa4a3f1ba8ead8e20d2b761a0b55fa0550744403728686243f842caf83c84abd

Download Submit
C:\Temp\vtnlfdyvqn.exe

Filesize
361KB

MD5
511a21927cc81ed99a29e5f27f525f98

SHA1
aa5e703369495743800a97c6f528fe49c5c0864b

SHA256
54583dfc14daafb088284d414e05aaccd20ea1f1e79a7e459ff96deace2d8075

SHA512
379231bffd050de9013d90bb9db016b4f42e3120c097a10ab6aedef1815750086e0b80b2c884240ff7f84944c3432c312c0a9ab64f4c2f5b70d505f552f8b359

Download Submit
C:\Temp\vtnlfdyvqn.exe

Filesize
361KB

MD5
511a21927cc81ed99a29e5f27f525f98

SHA1
aa5e703369495743800a97c6f528fe49c5c0864b

SHA256
54583dfc14daafb088284d414e05aaccd20ea1f1e79a7e459ff96deace2d8075

SHA512
379231bffd050de9013d90bb9db016b4f42e3120c097a10ab6aedef1815750086e0b80b2c884240ff7f84944c3432c312c0a9ab64f4c2f5b70d505f552f8b359

Download Submit
C:\Temp\zurmkecwuomhezxr.exe

Filesize
361KB

MD5
d8d06272fb06e4fb2d1ae465ac56c967

SHA1
b8430452e8f88699b96a6a74c3aa384985ced6e0

SHA256
5c42db3ad43d790521830060a7043fa00ca8f6ed4a555e176c2d0480bb5035f2

SHA512
e26d25c112286f3cbadaf3c2aeb234cdd813d001da9cd23ee55faf39f08e600197c24379fea7883ea140750225bde869591f78175ce480766ec150a29179f314

Download Submit
C:\Temp\zurmkecwuomhezxr.exe

Filesize
361KB

MD5
d8d06272fb06e4fb2d1ae465ac56c967

SHA1
b8430452e8f88699b96a6a74c3aa384985ced6e0

SHA256
5c42db3ad43d790521830060a7043fa00ca8f6ed4a555e176c2d0480bb5035f2

SHA512
e26d25c112286f3cbadaf3c2aeb234cdd813d001da9cd23ee55faf39f08e600197c24379fea7883ea140750225bde869591f78175ce480766ec150a29179f314

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
470c88d571317d5b0eb922a3420b9600

SHA1
5b0fd2115868d0f0b0fe654fdeca8f268f1b3ef0

SHA256
df1f2904329b000ad9e82568d1c009dfa5bfa53cba9962f2e8c991a670b9a805

SHA512
9b7a7b32437a3201cdfa0b89c82dbb47fab5824d650a719d859c399119cd72f74e01953c8f3aa31cc91becbb50f5ec19a3c1c68282160829d2317f313e53a453

Download Submit
memory/1352-141-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x0000000000000000-mapping.dmp

Download
memory/1664-132-0x0000000000000000-mapping.dmp

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1988-149-0x0000000000000000-mapping.dmp

Download
memory/2204-156-0x0000000000000000-mapping.dmp

Download
memory/2328-151-0x0000000000000000-mapping.dmp

Download
memory/3188-135-0x0000000000000000-mapping.dmp

Download
memory/3960-154-0x0000000000000000-mapping.dmp

Download
memory/4104-162-0x0000000000000000-mapping.dmp

Download
memory/4380-157-0x0000000000000000-mapping.dmp

Download
memory/4532-146-0x0000000000000000-mapping.dmp

Download
memory/4648-159-0x0000000000000000-mapping.dmp

Download
memory/4668-144-0x0000000000000000-mapping.dmp

Download