8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e

Analysis

max time kernel
181s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe
Size

520KB
MD5

53483255fb4c2554f50bbb62573f6e88
SHA1

c5f9279f3e6942273cb861d364f581c6f6e45379
SHA256

8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e
SHA512

7a77f0812119c86c41094168b5a2c1c05a1cb2675c4ab8b2ac82c63b2e5c2c56be19f174a07da108b04128bd9947f940392f9fb37df532c0d6fbd5cf461eb2e5
SSDEEP

12288:jB5GA6wigctwxaJOri8KuMhEAF/Lc0CTbkwnj3Zz:N5KwTIzJSPK/hHjXoBj3Zz

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jdFfFL.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	loecuu.exe

Executes dropped EXE 10 IoCs

pid	Process
5068	jdFfFL.exe
1996	loecuu.exe
4928	2sag.exe
2632	2sag.exe
2628	2sag.exe
3388	2sag.exe
4836	2sag.exe
4280	2sag.exe
672	3sag.exe
1916	X

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2632-152-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2632-157-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2628-158-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2632-155-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2628-161-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/2628-162-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3388-166-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/3388-169-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4836-172-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3388-171-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4836-175-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4836-177-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2628-181-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3388-182-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/4836-183-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/2632-187-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	jdFfFL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /f"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /L"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /c"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /m"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /w"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /v"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /N"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /z"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /r"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /B"	jdFfFL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /l"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /e"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /a"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /D"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /s"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /Z"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /j"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /y"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /E"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /W"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /P"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /M"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /b"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /Y"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /K"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /d"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /k"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /V"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /G"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /C"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /I"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /F"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /R"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /S"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /A"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /O"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /U"	loecuu.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /B"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /T"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /t"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /u"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /g"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /X"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /o"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /J"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /i"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /Q"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /p"	loecuu.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	jdFfFL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /h"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /q"	loecuu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loecuu = "C:\\Users\\Admin\\loecuu.exe /n"	loecuu.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2sag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2sag.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 2632	4928	2sag.exe	89
PID 4928 set thread context of 2628	4928	2sag.exe	90
PID 4928 set thread context of 3388	4928	2sag.exe	91
PID 4928 set thread context of 4836	4928	2sag.exe	92
PID 4928 set thread context of 4280	4928	2sag.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	4280	WerFault.exe	93

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4752	tasklist.exe
4476	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	jdFfFL.exe
5068	jdFfFL.exe
5068	jdFfFL.exe
5068	jdFfFL.exe
2628	2sag.exe
2628	2sag.exe
3388	2sag.exe
3388	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
672	3sag.exe
672	3sag.exe
1916	X
1916	X
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
3388	2sag.exe
3388	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
1996	loecuu.exe
1996	loecuu.exe
2628	2sag.exe
2628	2sag.exe
2628	2sag.exe
2628	2sag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	672	3sag.exe
Token: SeDebugPrivilege	672	3sag.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeDebugPrivilege	4752	tasklist.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE
Token: SeShutdownPrivilege	1192	Explorer.EXE
Token: SeCreatePagefilePrivilege	1192	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe
5068	jdFfFL.exe
1996	loecuu.exe
4928	2sag.exe
2632	2sag.exe
4836	2sag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 5068	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	83
PID 4404 wrote to memory of 5068	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	83
PID 4404 wrote to memory of 5068	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	83
PID 5068 wrote to memory of 1996	5068	jdFfFL.exe	84
PID 5068 wrote to memory of 1996	5068	jdFfFL.exe	84
PID 5068 wrote to memory of 1996	5068	jdFfFL.exe	84
PID 5068 wrote to memory of 1360	5068	jdFfFL.exe	85
PID 5068 wrote to memory of 1360	5068	jdFfFL.exe	85
PID 5068 wrote to memory of 1360	5068	jdFfFL.exe	85
PID 4404 wrote to memory of 4928	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	88
PID 4404 wrote to memory of 4928	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	88
PID 4404 wrote to memory of 4928	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	88
PID 1360 wrote to memory of 4476	1360	cmd.exe	87
PID 1360 wrote to memory of 4476	1360	cmd.exe	87
PID 1360 wrote to memory of 4476	1360	cmd.exe	87
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2632	4928	2sag.exe	89
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 2628	4928	2sag.exe	90
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 3388	4928	2sag.exe	91
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4836	4928	2sag.exe	92
PID 4928 wrote to memory of 4280	4928	2sag.exe	93
PID 4928 wrote to memory of 4280	4928	2sag.exe	93
PID 4928 wrote to memory of 4280	4928	2sag.exe	93
PID 4928 wrote to memory of 4280	4928	2sag.exe	93
PID 4404 wrote to memory of 672	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	97
PID 4404 wrote to memory of 672	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	97
PID 4404 wrote to memory of 672	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	97
PID 672 wrote to memory of 1916	672	3sag.exe	98
PID 672 wrote to memory of 1916	672	3sag.exe	98
PID 1916 wrote to memory of 1192	1916	X	53
PID 4404 wrote to memory of 3056	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	101
PID 4404 wrote to memory of 3056	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	101
PID 4404 wrote to memory of 3056	4404	8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe	101
PID 3056 wrote to memory of 4752	3056	cmd.exe	103
PID 3056 wrote to memory of 4752	3056	cmd.exe	103
PID 3056 wrote to memory of 4752	3056	cmd.exe	103
PID 1996 wrote to memory of 4752	1996	loecuu.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1192
- C:\Users\Admin\AppData\Local\Temp\8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe
  "C:\Users\Admin\AppData\Local\Temp\8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\jdFfFL.exe
    C:\Users\Admin\jdFfFL.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\loecuu.exe
      "C:\Users\Admin\loecuu.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del jdFfFL.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
- - C:\Users\Admin\2sag.exe
    C:\Users\Admin\2sag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\2sag.exe
      "C:\Users\Admin\2sag.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2632
  - - C:\Users\Admin\2sag.exe
      "C:\Users\Admin\2sag.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2628
  - - C:\Users\Admin\2sag.exe
      "C:\Users\Admin\2sag.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:3388
  - - C:\Users\Admin\2sag.exe
      "C:\Users\Admin\2sag.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4836
  - - C:\Users\Admin\2sag.exe
      "C:\Users\Admin\2sag.exe"
      4⤵
      Executes dropped EXE
      PID:4280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 80
        5⤵
        Program crash
        
        PID:5116
- - C:\Users\Admin\3sag.exe
    C:\Users\Admin\3sag.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\AppData\Local\11987549\X
      *0*bc*5f736418*31.193.3.240:53
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 8929e669fe59ef032ea4f0f1c8334c9390b4d07584825539ca2e48ba5000b89e.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 4280
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\2sag.exe

Filesize
128KB

MD5
924fe045ea0c544f82d322b9e370da60

SHA1
68ef8b8426fc7f53318cfbf648803aec7429e352

SHA256
480074c9252e605d8d4f80f40cf9d5e50eec6ebe30f414694aaf6375f1884e6d

SHA512
0d29eb10e5a7ca297319943fc017790371f1ac6c419651a89822121c91dda7d137720a7d5d8ee67e0ec457e882b603dbfb9b4f8c755f43b58b1dce0c35490fa2

Download Submit
C:\Users\Admin\3sag.exe

Filesize
279KB

MD5
bc605c3a569330b1b08106d694366d7c

SHA1
71ee2d38c8da32dea44ad2c254a1499b98333a92

SHA256
84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

SHA512
b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

Download Submit
C:\Users\Admin\3sag.exe

Filesize
279KB

MD5
bc605c3a569330b1b08106d694366d7c

SHA1
71ee2d38c8da32dea44ad2c254a1499b98333a92

SHA256
84205e9b8a9ed3bc40be0cb2fb17d8ab16de65c01c282bdb664846940749661d

SHA512
b70fc535e7638d326e852ab79e5d328d4c5f111b8a8af4b58da01754ecb77465f5c62c3f68c72573a1e4b6345393862f5e6e3b269754fe1feaf5ba8b86c17d4c

Download Submit
C:\Users\Admin\AppData\Local\11987549\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
C:\Users\Admin\AppData\Local\11987549\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
C:\Users\Admin\jdFfFL.exe

Filesize
216KB

MD5
5a9281e62a888f4ea82402cec883292d

SHA1
b997d0f7f8aecd9730b03f5e5b6b63466890ae94

SHA256
cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

SHA512
99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

Download Submit
C:\Users\Admin\jdFfFL.exe

Filesize
216KB

MD5
5a9281e62a888f4ea82402cec883292d

SHA1
b997d0f7f8aecd9730b03f5e5b6b63466890ae94

SHA256
cd3b178a6469ddb3bf95a7425a2dbf77a71cb83d813509dcbc2357263693cd23

SHA512
99f6248391a17417fe6ca166a72203e44e3ebd31d1fd25e5dc45513ebd7d974a73184854c79baaeba59becf702d3f248c33b69361d36f03647dce177c324678b

Download Submit
C:\Users\Admin\loecuu.exe

Filesize
216KB

MD5
e634dd37a620da324782415a754655f2

SHA1
d3afb9ae181cc5ff9407377f064ba254f273cd80

SHA256
a1885254ad8f644a30e80110d07c974504b100c5a54dbc92279da27b42c90f4f

SHA512
7723191cc6112460131a5c94b266a10369e031875e3318927d3acd33b5034aa9c88ab977eacb14c2dfd586fd40cce6b63342bc61a6d5c4cad8a384697e2b9ea3

Download Submit
C:\Users\Admin\loecuu.exe

Filesize
216KB

MD5
e634dd37a620da324782415a754655f2

SHA1
d3afb9ae181cc5ff9407377f064ba254f273cd80

SHA256
a1885254ad8f644a30e80110d07c974504b100c5a54dbc92279da27b42c90f4f

SHA512
7723191cc6112460131a5c94b266a10369e031875e3318927d3acd33b5034aa9c88ab977eacb14c2dfd586fd40cce6b63342bc61a6d5c4cad8a384697e2b9ea3

Download Submit
memory/672-188-0x0000000030670000-0x00000000306C2000-memory.dmp

Filesize
328KB

Download
memory/672-189-0x000000000069F000-0x00000000006D5000-memory.dmp

Filesize
216KB

Download
memory/672-193-0x0000000030670000-0x00000000306C2000-memory.dmp

Filesize
328KB

Download
memory/672-194-0x000000000069F000-0x00000000006D5000-memory.dmp

Filesize
216KB

Download
memory/2628-161-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-158-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-162-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2628-181-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2632-152-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2632-157-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2632-155-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2632-187-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3388-171-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3388-166-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3388-169-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3388-182-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4836-175-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4836-172-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4836-177-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4836-183-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download