2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
Size

456KB
MD5

058b3019912b75cf2df5bd461be0c81a
SHA1

7ff0bcef25b11669d30ab0ce5c897597af111403
SHA256

2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4
SHA512

d2a09be798bba099bb938e866a0f95a6f3cc69c0c50ccd77c0a69197a9fe8aa74c9713ba3a42e86e95b9a429f30d5a717d82a4e58c5bd88ecb1eeb28e00df539
SSDEEP

12288:W4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:W4ik34n15iN/5lq41Tzuq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

u8kSVi.exehjseos.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	u8kSVi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hjseos.exe

Executes dropped EXE 6 IoCs

Processes:

u8kSVi.exehjseos.exealay.exealay.exedlay.exeflay.exe

pid process

1284 u8kSVi.exe
1256 hjseos.exe
1052 alay.exe
1728 alay.exe
1968 dlay.exe
1064 flay.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-83-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1728-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1728-86-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1728-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1728-91-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1728-93-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1928 cmd.exe

pid	process
1928	cmd.exe

Loads dropped DLL 10 IoCs

Processes:

2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exeu8kSVi.exe

pid	process
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1284	u8kSVi.exe
1284	u8kSVi.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

u8kSVi.exehjseos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /Z"	u8kSVi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /d"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /i"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /p"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /y"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /T"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /E"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /G"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /M"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /f"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /X"	hjseos.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	u8kSVi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /v"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /W"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /B"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /l"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /t"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /Q"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /m"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /Y"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /g"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /u"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /U"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /F"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /Z"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /D"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /R"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /I"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /q"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /P"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /x"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /s"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /z"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /a"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /k"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /b"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /H"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /N"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /A"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /j"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /n"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /J"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /K"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /L"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /c"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /r"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /V"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /h"	hjseos.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /C"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /S"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /o"	hjseos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\hjseos = "C:\\Users\\Admin\\hjseos.exe /e"	hjseos.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

alay.exeflay.exe

description pid process target process

PID 1052 set thread context of 1728 1052 alay.exe alay.exe
PID 1064 set thread context of 1004 1064 flay.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

708 tasklist.exe
904 tasklist.exe

description	pid	process	target process
PID 1052 set thread context of 1728	1052	alay.exe	alay.exe
PID 1064 set thread context of 1004	1064	flay.exe	cmd.exe

pid	process
708	tasklist.exe
904	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

u8kSVi.exealay.exehjseos.exe

pid	process
1284	u8kSVi.exe
1284	u8kSVi.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1256	hjseos.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe
1728	alay.exe
1256	hjseos.exe
1728	alay.exe
1728	alay.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exeflay.exetasklist.exe

description pid process

Token: SeDebugPrivilege 708 tasklist.exe
Token: SeDebugPrivilege 1064 flay.exe
Token: SeDebugPrivilege 904 tasklist.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exeu8kSVi.exehjseos.exealay.exedlay.exe

pid process

1692 2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
1284 u8kSVi.exe
1256 hjseos.exe
1052 alay.exe
1968 dlay.exe

description	pid	process
Token: SeDebugPrivilege	708	tasklist.exe
Token: SeDebugPrivilege	1064	flay.exe
Token: SeDebugPrivilege	904	tasklist.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exeu8kSVi.execmd.exealay.exeflay.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1284	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	u8kSVi.exe
PID 1692 wrote to memory of 1284	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	u8kSVi.exe
PID 1692 wrote to memory of 1284	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	u8kSVi.exe
PID 1692 wrote to memory of 1284	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	u8kSVi.exe
PID 1284 wrote to memory of 1256	1284	u8kSVi.exe	hjseos.exe
PID 1284 wrote to memory of 1256	1284	u8kSVi.exe	hjseos.exe
PID 1284 wrote to memory of 1256	1284	u8kSVi.exe	hjseos.exe
PID 1284 wrote to memory of 1256	1284	u8kSVi.exe	hjseos.exe
PID 1284 wrote to memory of 976	1284	u8kSVi.exe	cmd.exe
PID 1284 wrote to memory of 976	1284	u8kSVi.exe	cmd.exe
PID 1284 wrote to memory of 976	1284	u8kSVi.exe	cmd.exe
PID 1284 wrote to memory of 976	1284	u8kSVi.exe	cmd.exe
PID 976 wrote to memory of 708	976	cmd.exe	tasklist.exe
PID 976 wrote to memory of 708	976	cmd.exe	tasklist.exe
PID 976 wrote to memory of 708	976	cmd.exe	tasklist.exe
PID 976 wrote to memory of 708	976	cmd.exe	tasklist.exe
PID 1692 wrote to memory of 1052	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	alay.exe
PID 1692 wrote to memory of 1052	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	alay.exe
PID 1692 wrote to memory of 1052	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	alay.exe
PID 1692 wrote to memory of 1052	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1052 wrote to memory of 1728	1052	alay.exe	alay.exe
PID 1692 wrote to memory of 1968	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	dlay.exe
PID 1692 wrote to memory of 1968	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	dlay.exe
PID 1692 wrote to memory of 1968	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	dlay.exe
PID 1692 wrote to memory of 1968	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	dlay.exe
PID 1692 wrote to memory of 1064	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	flay.exe
PID 1692 wrote to memory of 1064	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	flay.exe
PID 1692 wrote to memory of 1064	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	flay.exe
PID 1692 wrote to memory of 1064	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	flay.exe
PID 1064 wrote to memory of 1004	1064	flay.exe	cmd.exe
PID 1064 wrote to memory of 1004	1064	flay.exe	cmd.exe
PID 1064 wrote to memory of 1004	1064	flay.exe	cmd.exe
PID 1064 wrote to memory of 1004	1064	flay.exe	cmd.exe
PID 1064 wrote to memory of 1004	1064	flay.exe	cmd.exe
PID 1692 wrote to memory of 1928	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	cmd.exe
PID 1692 wrote to memory of 1928	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	cmd.exe
PID 1692 wrote to memory of 1928	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	cmd.exe
PID 1692 wrote to memory of 1928	1692	2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe	cmd.exe
PID 1928 wrote to memory of 904	1928	cmd.exe	tasklist.exe
PID 1928 wrote to memory of 904	1928	cmd.exe	tasklist.exe
PID 1928 wrote to memory of 904	1928	cmd.exe	tasklist.exe
PID 1928 wrote to memory of 904	1928	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
"C:\Users\Admin\AppData\Local\Temp\2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\u8kSVi.exe
C:\Users\Admin\u8kSVi.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\hjseos.exe
"C:\Users\Admin\hjseos.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Users\Admin\alay.exe
C:\Users\Admin\alay.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\alay.exe
"C:\Users\Admin\alay.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\dlay.exe
C:\Users\Admin\dlay.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Users\Admin\flay.exe
C:\Users\Admin\flay.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 2d9cc61bc7715786ff809251bb5bb631038d68ab755e8ec61ea300ff401f33a4.exe
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\alay.exe
Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\alay.exe
Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\alay.exe
Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
C:\Users\Admin\dlay.exe
Filesize
36KB

MD5
ca22de79e6c6c38eb6dfef7fe1660b05

SHA1
859243fbafb70d5631e96cf88fc3a4c917cecfca

SHA256
8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

SHA512
b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

Download Submit
C:\Users\Admin\flay.exe
Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
C:\Users\Admin\flay.exe
Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
C:\Users\Admin\hjseos.exe
Filesize
248KB

MD5
e8633f53a3bd20b79eab04da362e1c45

SHA1
fb7036cc5f8941f6a3bbddb52b52e1350faa921c

SHA256
a24c51ce243f4bb0809f2d5b7eae347fe39983d639c7ed078425692300ea8016

SHA512
e2b5f5ab1e502cb09efde2d09df5cf9acad858d787c995ca87133b9a647b0abdc4128b8526766e70c92139b7197fcc1aeff097ffb0b5e2d53f9732eec8941421

Download Submit
C:\Users\Admin\hjseos.exe
Filesize
248KB

MD5
e8633f53a3bd20b79eab04da362e1c45

SHA1
fb7036cc5f8941f6a3bbddb52b52e1350faa921c

SHA256
a24c51ce243f4bb0809f2d5b7eae347fe39983d639c7ed078425692300ea8016

SHA512
e2b5f5ab1e502cb09efde2d09df5cf9acad858d787c995ca87133b9a647b0abdc4128b8526766e70c92139b7197fcc1aeff097ffb0b5e2d53f9732eec8941421

Download Submit
C:\Users\Admin\u8kSVi.exe
Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
C:\Users\Admin\u8kSVi.exe
Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
\Users\Admin\alay.exe
Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
\Users\Admin\alay.exe
Filesize
68KB

MD5
1bf479c263ff9b58c1cc00c965f4c14a

SHA1
494555c284279f4cb8b1ea9f91ce12c98e057fce

SHA256
3b5a01e9c4a8fc9e2f6f33da669a8020b76751720d4c32a42e7ba49e955b1093

SHA512
48134b823a6bd2877e200095c03521e75de79a2830d9e723138c00529e0c9436e4b368fb3bd37a5a67cfdbaa34405b8e3f9bd79a982adbf726d882e57823f161

Download Submit
\Users\Admin\dlay.exe
Filesize
36KB

MD5
ca22de79e6c6c38eb6dfef7fe1660b05

SHA1
859243fbafb70d5631e96cf88fc3a4c917cecfca

SHA256
8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

SHA512
b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

Download Submit
\Users\Admin\dlay.exe
Filesize
36KB

MD5
ca22de79e6c6c38eb6dfef7fe1660b05

SHA1
859243fbafb70d5631e96cf88fc3a4c917cecfca

SHA256
8eff51c017894840eec5141933794e35a13de7baf085e20e697106bc4b2467b4

SHA512
b136c8748cb46dabf6229477c3bd9b217562a7748c57c87f69c2874bd81e72cdda23ba7692602b7bc972e96716693af7ba0b33a9faf8ea25f4060a4c2dfff678

Download Submit
\Users\Admin\flay.exe
Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
\Users\Admin\flay.exe
Filesize
264KB

MD5
9b3122a0ed7ec1eb344be414036da288

SHA1
cf6a4651b24fc71db61e1870a360c3fa7d67c1ca

SHA256
ca0ae1bd6a5328945c7805621a2efe10840b3023f70e180750ed0f9f87cc7df7

SHA512
f57046121b54c8abd81bade8c2989530ac604e128c826397df63680fc7d8bc22715408613119bfa11920e736a7185950adf3d6c769df3f9b389d1020b22959e4

Download Submit
\Users\Admin\hjseos.exe
Filesize
248KB

MD5
e8633f53a3bd20b79eab04da362e1c45

SHA1
fb7036cc5f8941f6a3bbddb52b52e1350faa921c

SHA256
a24c51ce243f4bb0809f2d5b7eae347fe39983d639c7ed078425692300ea8016

SHA512
e2b5f5ab1e502cb09efde2d09df5cf9acad858d787c995ca87133b9a647b0abdc4128b8526766e70c92139b7197fcc1aeff097ffb0b5e2d53f9732eec8941421

Download Submit
\Users\Admin\hjseos.exe
Filesize
248KB

MD5
e8633f53a3bd20b79eab04da362e1c45

SHA1
fb7036cc5f8941f6a3bbddb52b52e1350faa921c

SHA256
a24c51ce243f4bb0809f2d5b7eae347fe39983d639c7ed078425692300ea8016

SHA512
e2b5f5ab1e502cb09efde2d09df5cf9acad858d787c995ca87133b9a647b0abdc4128b8526766e70c92139b7197fcc1aeff097ffb0b5e2d53f9732eec8941421

Download Submit
\Users\Admin\u8kSVi.exe
Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
\Users\Admin\u8kSVi.exe
Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
memory/708-74-0x0000000000000000-mapping.dmp

Download
memory/904-127-0x0000000000000000-mapping.dmp

Download
memory/976-73-0x0000000000000000-mapping.dmp

Download
memory/1004-121-0x0000000000000000-mapping.dmp

Download
memory/1052-77-0x0000000000000000-mapping.dmp

Download
memory/1064-114-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-119-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-125-0x0000000003150000-0x0000000003190000-memory.dmp

Filesize
256KB

Download
memory/1064-124-0x0000000002A81000-0x0000000002A8B000-memory.dmp

Filesize
40KB

Download
memory/1064-123-0x0000000002A8B000-0x0000000002A8F000-memory.dmp

Filesize
16KB

Download
memory/1064-122-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1064-116-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/1064-118-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-103-0x0000000000000000-mapping.dmp

Download
memory/1064-117-0x0000000002A8B000-0x0000000002A8F000-memory.dmp

Filesize
16KB

Download
memory/1064-105-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1064-107-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-110-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-113-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/1064-115-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1256-67-0x0000000000000000-mapping.dmp

Download
memory/1284-59-0x0000000000000000-mapping.dmp

Download
memory/1692-56-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1728-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-93-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-87-0x000000000040C510-mapping.dmp

Download
memory/1728-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1728-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1928-126-0x0000000000000000-mapping.dmp

Download
memory/1968-96-0x0000000000000000-mapping.dmp

Download