88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9

Analysis

max time kernel
151s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
Size

595KB
MD5

22fa3f044edf21da1808efd9138727d2
SHA1

f66f70f4763a9d0dd2ebd0803d2f46d691a338fb
SHA256

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9
SHA512

19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78
SSDEEP

12288:QtmXjD9Ye5veJVJPbCjXr2CIjfcXL88WOouNyg1kXGLb:QtmX2bJj+j72ffEPWOPwub

Score

10^/10

persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
ejcmrquuosqeqgpx

Signatures

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2528-148-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/2528-150-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/2528-151-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

IpOverUsbSvrc.exeatiesrx.exeatiesrx.exeIpOverUsbSvrc.exe

pid process

2872 IpOverUsbSvrc.exe
748 atiesrx.exe
4164 atiesrx.exe
4456 IpOverUsbSvrc.exe

pid	process
2872	IpOverUsbSvrc.exe
748	atiesrx.exe
4164	atiesrx.exe
4456	IpOverUsbSvrc.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeatiesrx.exeatiesrx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	atiesrx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	atiesrx.exe

Drops startup file 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiesrx.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiesrx.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 bot.whatismyipaddress.com
44 bot.whatismyipaddress.com

flow	ioc
32	bot.whatismyipaddress.com
44	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeatiesrx.exe

description	pid	process	target process
PID 4824 set thread context of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4012 set thread context of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 748 set thread context of 4164	748	atiesrx.exe	atiesrx.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeIpOverUsbSvrc.exe

pid	process
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
2872	IpOverUsbSvrc.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeIpOverUsbSvrc.exedw20.exeatiesrx.exeIpOverUsbSvrc.exeatiesrx.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
Token: SeDebugPrivilege	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
Token: SeDebugPrivilege	2872	IpOverUsbSvrc.exe
Token: SeRestorePrivilege	4416	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeBackupPrivilege	4416	dw20.exe
Token: SeDebugPrivilege	748	atiesrx.exe
Token: SeDebugPrivilege	4456	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	4164	atiesrx.exe
Token: SeBackupPrivilege	1388	dw20.exe
Token: SeBackupPrivilege	1388	dw20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeatiesrx.exe

pid process

4012 88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4164 atiesrx.exe

pid	process
4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
4164	atiesrx.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exeIpOverUsbSvrc.exeatiesrx.exeatiesrx.exe

description	pid	process	target process
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4824 wrote to memory of 4012	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
PID 4012 wrote to memory of 4432	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	cmd.exe
PID 4012 wrote to memory of 4432	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	cmd.exe
PID 4012 wrote to memory of 4432	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	cmd.exe
PID 4824 wrote to memory of 2872	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	IpOverUsbSvrc.exe
PID 4824 wrote to memory of 2872	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	IpOverUsbSvrc.exe
PID 4824 wrote to memory of 2872	4824	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	IpOverUsbSvrc.exe
PID 2872 wrote to memory of 748	2872	IpOverUsbSvrc.exe	atiesrx.exe
PID 2872 wrote to memory of 748	2872	IpOverUsbSvrc.exe	atiesrx.exe
PID 2872 wrote to memory of 748	2872	IpOverUsbSvrc.exe	atiesrx.exe
PID 4012 wrote to memory of 4416	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	dw20.exe
PID 4012 wrote to memory of 4416	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	dw20.exe
PID 4012 wrote to memory of 4416	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	dw20.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 4012 wrote to memory of 2528	4012	88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe	vbc.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4164	748	atiesrx.exe	atiesrx.exe
PID 748 wrote to memory of 4456	748	atiesrx.exe	IpOverUsbSvrc.exe
PID 748 wrote to memory of 4456	748	atiesrx.exe	IpOverUsbSvrc.exe
PID 748 wrote to memory of 4456	748	atiesrx.exe	IpOverUsbSvrc.exe
PID 4164 wrote to memory of 3404	4164	atiesrx.exe	cmd.exe
PID 4164 wrote to memory of 3404	4164	atiesrx.exe	cmd.exe
PID 4164 wrote to memory of 3404	4164	atiesrx.exe	cmd.exe
PID 4164 wrote to memory of 1388	4164	atiesrx.exe	dw20.exe
PID 4164 wrote to memory of 1388	4164	atiesrx.exe	dw20.exe
PID 4164 wrote to memory of 1388	4164	atiesrx.exe	dw20.exe
PID 4164 wrote to memory of 472	4164	atiesrx.exe	vbc.exe
PID 4164 wrote to memory of 472	4164	atiesrx.exe	vbc.exe
PID 4164 wrote to memory of 472	4164	atiesrx.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
"C:\Users\Admin\AppData\Local\Temp\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe
"C:\Users\Admin\AppData\Local\Temp\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9.exe"
3⤵
- Drops startup file
PID:4432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2476
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
3⤵
PID:2528

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atiesrx.exe"
5⤵
- Drops startup file
PID:3404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2352
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
5⤵
PID:472

C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\IpOverUsbSvrc.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IpOverUsbSvrc.exe

Filesize
8KB

MD5
54fbde415453f5c9089b49e65bd5f8e7

SHA1
d77b86631f629b52bbebc6e08fbf60c78e8ceab0

SHA256
7d31b70e949833d9f78199848b14307e41da511ca4915c20a8ca61ee8eeeedbf

SHA512
90dbbb3986ab3f4dda4292b580bfac7c97bbf20f68d0be0af271b9bc5e22a4abc326baaf284be005c6460ecc2187b6ca5d015fab55be3b242122436fcf3ee5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
595KB

MD5
22fa3f044edf21da1808efd9138727d2

SHA1
f66f70f4763a9d0dd2ebd0803d2f46d691a338fb

SHA256
88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9

SHA512
19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
595KB

MD5
22fa3f044edf21da1808efd9138727d2

SHA1
f66f70f4763a9d0dd2ebd0803d2f46d691a338fb

SHA256
88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9

SHA512
19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\atiesrx.exe

Filesize
595KB

MD5
22fa3f044edf21da1808efd9138727d2

SHA1
f66f70f4763a9d0dd2ebd0803d2f46d691a338fb

SHA256
88595e929142868e16cd37da00c66a221a908592cac677e8adf325d2bc1207f9

SHA512
19f904d86aac592b1edca4b257c292ed78de219c5007564eb74e587a8d1f0c1de7f2f3a47629445cddb6375cfd2c4e90bea019baadb4b5bb87279b2d52f89f78

Download Submit
memory/472-169-0x0000000000000000-mapping.dmp

Download
memory/748-141-0x0000000000000000-mapping.dmp

Download
memory/748-145-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/748-154-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/1388-167-0x0000000000000000-mapping.dmp

Download
memory/2528-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-147-0x0000000000000000-mapping.dmp

Download
memory/2528-148-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2528-150-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2872-156-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2872-137-0x0000000000000000-mapping.dmp

Download
memory/2872-153-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2872-144-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3404-161-0x0000000000000000-mapping.dmp

Download
memory/4012-134-0x0000000000000000-mapping.dmp

Download
memory/4012-152-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4012-135-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4012-140-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4164-165-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4164-157-0x0000000000000000-mapping.dmp

Download
memory/4164-170-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4416-146-0x0000000000000000-mapping.dmp

Download
memory/4432-136-0x0000000000000000-mapping.dmp

Download
memory/4456-160-0x0000000000000000-mapping.dmp

Download
memory/4456-166-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4456-171-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4824-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4824-155-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4824-133-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download