Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
Resource
win10v2004-20220812-en
General
-
Target
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
-
Size
646KB
-
MD5
259515c81aebddb3d8d8f77c0fed1ec3
-
SHA1
51148b0a6fe6cef356d57397761e30c891d8908f
-
SHA256
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9
-
SHA512
684d46e97b8d02ea7d716227c81adde3f29944020548486f401bd17aa834384c96be52bb68030443f0adf39e5efd8602dc8ef021595ca506fb1b557eb50c7603
-
SSDEEP
12288:k/dr9yql7Xm+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNWyUdMONUzeosyu4M
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
g6NuH2.exekuorac.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" g6NuH2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kuorac.exe -
Executes dropped EXE 6 IoCs
Processes:
g6NuH2.exekuorac.exeadhost.exebdhost.execdhost.exeddhost.exepid process 4132 g6NuH2.exe 2844 kuorac.exe 3388 adhost.exe 2664 bdhost.exe 5104 cdhost.exe 2060 ddhost.exe -
Processes:
resource yara_rule behavioral2/memory/4764-133-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-134-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-137-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-138-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-141-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-157-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4764-177-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
g6NuH2.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation g6NuH2.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe -
Adds Run key to start application 2 TTPs 53 IoCs
Processes:
kuorac.exeg6NuH2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /j" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /d" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /h" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /E" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /V" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /P" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /O" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /S" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /y" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Q" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /F" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /e" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /J" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /f" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /r" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /L" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /A" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /W" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /p" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /H" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /C" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /U" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /D" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /o" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /I" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /z" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /l" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /k" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /x" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /v" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /M" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Z" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /c" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /n" kuorac.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ g6NuH2.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /g" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /T" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Y" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /K" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /N" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /s" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /X" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /B" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /A" g6NuH2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /q" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /i" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /w" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /m" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /b" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /a" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /u" kuorac.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /R" kuorac.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.execdhost.exedescription pid process target process PID 1460 set thread context of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 5104 set thread context of 4600 5104 cdhost.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4360 2664 WerFault.exe bdhost.exe 1988 4600 WerFault.exe explorer.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2216 tasklist.exe 1108 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
g6NuH2.exekuorac.exepid process 4132 g6NuH2.exe 4132 g6NuH2.exe 4132 g6NuH2.exe 4132 g6NuH2.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe 2844 kuorac.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2216 tasklist.exe Token: SeDebugPrivilege 1108 tasklist.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.exekuorac.exeddhost.exepid process 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 4132 g6NuH2.exe 2844 kuorac.exe 2060 ddhost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.execmd.execdhost.execmd.exedescription pid process target process PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 1460 wrote to memory of 4764 1460 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe PID 4764 wrote to memory of 4132 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe g6NuH2.exe PID 4764 wrote to memory of 4132 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe g6NuH2.exe PID 4764 wrote to memory of 4132 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe g6NuH2.exe PID 4132 wrote to memory of 2844 4132 g6NuH2.exe kuorac.exe PID 4132 wrote to memory of 2844 4132 g6NuH2.exe kuorac.exe PID 4132 wrote to memory of 2844 4132 g6NuH2.exe kuorac.exe PID 4132 wrote to memory of 1828 4132 g6NuH2.exe cmd.exe PID 4132 wrote to memory of 1828 4132 g6NuH2.exe cmd.exe PID 4132 wrote to memory of 1828 4132 g6NuH2.exe cmd.exe PID 1828 wrote to memory of 2216 1828 cmd.exe tasklist.exe PID 1828 wrote to memory of 2216 1828 cmd.exe tasklist.exe PID 1828 wrote to memory of 2216 1828 cmd.exe tasklist.exe PID 4764 wrote to memory of 3388 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe adhost.exe PID 4764 wrote to memory of 3388 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe adhost.exe PID 4764 wrote to memory of 3388 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe adhost.exe PID 4764 wrote to memory of 2664 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe bdhost.exe PID 4764 wrote to memory of 2664 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe bdhost.exe PID 4764 wrote to memory of 2664 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe bdhost.exe PID 4764 wrote to memory of 5104 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cdhost.exe PID 4764 wrote to memory of 5104 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cdhost.exe PID 4764 wrote to memory of 5104 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cdhost.exe PID 5104 wrote to memory of 4600 5104 cdhost.exe explorer.exe PID 5104 wrote to memory of 4600 5104 cdhost.exe explorer.exe PID 5104 wrote to memory of 4600 5104 cdhost.exe explorer.exe PID 4764 wrote to memory of 2060 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe ddhost.exe PID 4764 wrote to memory of 2060 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe ddhost.exe PID 4764 wrote to memory of 2060 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe ddhost.exe PID 4764 wrote to memory of 4924 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cmd.exe PID 4764 wrote to memory of 4924 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cmd.exe PID 4764 wrote to memory of 4924 4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe cmd.exe PID 4924 wrote to memory of 1108 4924 cmd.exe tasklist.exe PID 4924 wrote to memory of 1108 4924 cmd.exe tasklist.exe PID 4924 wrote to memory of 1108 4924 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe"C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\g6NuH2.exeC:\Users\Admin\g6NuH2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\kuorac.exe"C:\Users\Admin\kuorac.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Users\Admin\adhost.exeC:\Users\Admin\adhost.exe3⤵
- Executes dropped EXE
PID:3388 -
C:\Users\Admin\bdhost.exeC:\Users\Admin\bdhost.exe3⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 3444⤵
- Program crash
PID:4360 -
C:\Users\Admin\cdhost.exeC:\Users\Admin\cdhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\explorer.exe00000124*4⤵PID:4600
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4600 -s 6645⤵
- Program crash
PID:1988 -
C:\Users\Admin\ddhost.exeC:\Users\Admin\ddhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2664 -ip 26641⤵PID:2288
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 4600 -ip 46001⤵PID:664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD536fa3dbb1702552896cc677b5bda52dc
SHA1c87f2707913047dcd2a896896fe2905b08c33985
SHA256e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74
SHA5129ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53
-
Filesize
172KB
MD536fa3dbb1702552896cc677b5bda52dc
SHA1c87f2707913047dcd2a896896fe2905b08c33985
SHA256e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74
SHA5129ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53
-
Filesize
174KB
MD5f3e286f3fc9467d3b9e56d41038b17d5
SHA13653c381586b01016a56de58d59300e431368162
SHA256ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f
SHA5120ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d
-
Filesize
174KB
MD5f3e286f3fc9467d3b9e56d41038b17d5
SHA13653c381586b01016a56de58d59300e431368162
SHA256ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f
SHA5120ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d
-
Filesize
118KB
MD54abe6afa1ff995b70ef6511c1f0567ae
SHA180935a41582e0fb168c37d2960dce974cab5f0ab
SHA256fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8
SHA512bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565
-
Filesize
118KB
MD54abe6afa1ff995b70ef6511c1f0567ae
SHA180935a41582e0fb168c37d2960dce974cab5f0ab
SHA256fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8
SHA512bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565
-
Filesize
24KB
MD571aecf19a1aec54e3d2c63f945cc6956
SHA112213f95739e45881458a7bbb429a0b7b363ccbf
SHA256c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf
SHA512a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4
-
Filesize
24KB
MD571aecf19a1aec54e3d2c63f945cc6956
SHA112213f95739e45881458a7bbb429a0b7b363ccbf
SHA256c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf
SHA512a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4
-
Filesize
256KB
MD5be8379280ac23f08b8b091e1bc345eae
SHA1bb432b69277aec39e5566ec120d6fd8fe4e0097b
SHA256caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5
SHA512d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215
-
Filesize
256KB
MD5be8379280ac23f08b8b091e1bc345eae
SHA1bb432b69277aec39e5566ec120d6fd8fe4e0097b
SHA256caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5
SHA512d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215
-
Filesize
256KB
MD5ba767bae1729cbe009182d83722e1382
SHA1e80d02e376779bd54e5a75f4551e5df4e45ac61d
SHA256bdfd2635fe984eb1a33f509d9d3d8fd77b455beaa4315b269e2bb13ae6da8dd8
SHA512a1a5ba34f05897e3e49fb416a74a5e810c49836842bc3542684683cabc7b5b932cd02f71281644b09368c23e266bdec254b2afec671d4efc89998fa2aea119b4
-
Filesize
256KB
MD5ba767bae1729cbe009182d83722e1382
SHA1e80d02e376779bd54e5a75f4551e5df4e45ac61d
SHA256bdfd2635fe984eb1a33f509d9d3d8fd77b455beaa4315b269e2bb13ae6da8dd8
SHA512a1a5ba34f05897e3e49fb416a74a5e810c49836842bc3542684683cabc7b5b932cd02f71281644b09368c23e266bdec254b2afec671d4efc89998fa2aea119b4