9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
Size

409KB
MD5

1ca96568c17ee7dc97a85177213429ed
SHA1

7f4f5ca475f1540eae726b7a21897f72c1fbe598
SHA256

9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716
SHA512

98a98130c5514acf9c2581184d4b236e5427c06fb2a328636c94973ab6c560b34c9616e3937731d5197d42cc05e105452ecbdc3e009b41298d5224842a767168
SSDEEP

6144:6BCb5KHuGsOLWyGhsVODNo8IlQXmhG45g7gCc7K/m5VnBsBQDagtvyVVcoSnJAWg:QC1KO1hsVyNNIl4T6keB2guHOAWaLE

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2028	mscorsvw.exe
1672	mscorsvw.exe
688	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\I:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\K:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\L:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\O:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\F:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\F:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\W:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\J:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\U:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\Q:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\P:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\V:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\Y:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\N:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\M:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\Z:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\H:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\X:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\S:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\R:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\T:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\E:	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	OSE.EXE
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{448B68BB-7FE2-491D-A384-E28753A175C3}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{448B68BB-7FE2-491D-A384-E28753A175C3}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE
688	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1280	9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
Token: SeRestorePrivilege	1444	msiexec.exe
Token: SeTakeOwnershipPrivilege	1444	msiexec.exe
Token: SeSecurityPrivilege	1444	msiexec.exe
Token: SeTakeOwnershipPrivilege	688	OSE.EXE
Token: SeManageVolumePrivilege	1544	SearchIndexer.exe
Token: 33	1544	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1544	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1404	SearchProtocolHost.exe
1404	SearchProtocolHost.exe
1404	SearchProtocolHost.exe
1404	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1404	1544	SearchIndexer.exe	33
PID 1544 wrote to memory of 1404	1544	SearchIndexer.exe	33
PID 1544 wrote to memory of 1404	1544	SearchIndexer.exe	33
PID 1544 wrote to memory of 864	1544	SearchIndexer.exe	34
PID 1544 wrote to memory of 864	1544	SearchIndexer.exe	34
PID 1544 wrote to memory of 864	1544	SearchIndexer.exe	34

C:\Users\Admin\AppData\Local\Temp\9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe
"C:\Users\Admin\AppData\Local\Temp\9e7203ff6ab8e54848e1b4f74186eb30d21c7cbe1f088d3162960b3534b0f716.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
7e07f3a709d0eec0df5a65833627a732

SHA1
3765e6e0a1f0d2abce799b2cad59765e5b84ebe0

SHA256
b9794f42779bd17e4752156d47a636a756454815e9e4ee7fc9ebc89c1ad70a78

SHA512
16767106e9cbb019629e29b1cddfd1a36a1eacbe3c74164a65f204736bef87c33f979fb57fc29e3cce4c8c11dad4035253a70aae08e0bc00f288fd19af6861b7

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
c7ec0a5052420275ceb5fea119b32c33

SHA1
67d754a973a65b1dfbec11ad0cc2bdb373637f5c

SHA256
01d3639241efbb567b46e14f81cebfa74b6d5d0f26741f9f3aabad9beb4b0e06

SHA512
6674a6609410d777bdf6d86bed4fb4e40d092e4f965f720c0f992709737133d8ac7fb76724f2d5253a4489821be782a8d522b450651233298b50431c8e213287

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
c7ec0a5052420275ceb5fea119b32c33

SHA1
67d754a973a65b1dfbec11ad0cc2bdb373637f5c

SHA256
01d3639241efbb567b46e14f81cebfa74b6d5d0f26741f9f3aabad9beb4b0e06

SHA512
6674a6609410d777bdf6d86bed4fb4e40d092e4f965f720c0f992709737133d8ac7fb76724f2d5253a4489821be782a8d522b450651233298b50431c8e213287

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
57dd08de62d78701ee07340cd0400ace

SHA1
986173bde17813dd9208d4cfb76d64d76ebda167

SHA256
346c13d77ad017d91cc5c25e6ff4e27e8e63290587b0595eea15b6d6d21b00a8

SHA512
3f37423c19dc3f5c869b435a3f3fcc2f0cf5e87badef68aadbe9b649bf121fe3e396f228105d920804c31d2a2bbf4ce618af693425265014493ad08cfeb5e9bb

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
6afe2da6856ff0a386ae6cc3d4f9029c

SHA1
28605fa1fe4516fb33328a1e340f93044d4fbdb9

SHA256
e5f655767d7e4b9133361b78ee11901b31a467ebc8ae67c7d6ba542268353169

SHA512
92966b52c2a1d8a8c1c850c90318c12f1a2a1996f7d4a6f526771e76f895b2ecd84360848ce2070207fd7e2dbd9e3a7d918c0c32356db3c80d526a4e8ada6a54

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
a0a93f4c52a441b74bdd036a5a4d44aa

SHA1
02dc1c921c5c825a4ce60b6cc376ce27218e7fa8

SHA256
062dd1ca74db329dafc41f8de363370b82f2b85445bc76624cd3d7965d12c9e2

SHA512
469c9f1d5e83ea27bec24ae501ddb0e2c26fa147f7cc34f07fd31529db03d3a02c5702e1d91e759f7cadd3d61eb6c29d94e7018d1ec0dbab8994036958640d92

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
5bd914412f80aa109402042504682ec1

SHA1
44f299cc5036672360e93e4d7d0cd4a13a64a902

SHA256
400b8557d5ee80ba19a68aea24e7bd746762117c40deec3483fec910410a6da1

SHA512
17485aef1b7c41682d034ec282840522f79a65a0a794667c7fc8fcd96e8c14b9c4d7c43443225984067f81bb481cc2da9870c0b33f1cf16b7582a6cf3d23b829

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
57dd08de62d78701ee07340cd0400ace

SHA1
986173bde17813dd9208d4cfb76d64d76ebda167

SHA256
346c13d77ad017d91cc5c25e6ff4e27e8e63290587b0595eea15b6d6d21b00a8

SHA512
3f37423c19dc3f5c869b435a3f3fcc2f0cf5e87badef68aadbe9b649bf121fe3e396f228105d920804c31d2a2bbf4ce618af693425265014493ad08cfeb5e9bb

Download Submit
memory/688-64-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/688-65-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/688-108-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/864-106-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x0000000001000000-0x00000000010A4000-memory.dmp

Filesize
656KB

Download
memory/1280-61-0x0000000001000000-0x00000000010A4000-memory.dmp

Filesize
656KB

Download
memory/1280-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1404-105-0x0000000000000000-mapping.dmp

Download
memory/1444-62-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1544-104-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/1544-103-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/1544-100-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/1544-84-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/1544-68-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/1672-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2028-58-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download