810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
Size

646KB
MD5

259515c81aebddb3d8d8f77c0fed1ec3
SHA1

51148b0a6fe6cef356d57397761e30c891d8908f
SHA256

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9
SHA512

684d46e97b8d02ea7d716227c81adde3f29944020548486f401bd17aa834384c96be52bb68030443f0adf39e5efd8602dc8ef021595ca506fb1b557eb50c7603
SSDEEP

12288:k/dr9yql7Xm+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNWyUdMONUzeosyu4M

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

g6NuH2.exekuorac.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	g6NuH2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kuorac.exe

Executes dropped EXE 6 IoCs

Processes:

g6NuH2.exekuorac.exeadhost.exebdhost.execdhost.exeddhost.exe

pid process

4132 g6NuH2.exe
2844 kuorac.exe
3388 adhost.exe
2664 bdhost.exe
5104 cdhost.exe
2060 ddhost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4764-133-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-134-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-137-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-138-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-141-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-157-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4764-177-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

g6NuH2.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	g6NuH2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kuorac.exeg6NuH2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /j"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /d"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /h"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /E"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /V"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /P"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /O"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /S"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /y"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Q"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /F"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /e"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /J"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /f"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /r"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /L"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /A"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /W"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /p"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /H"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /C"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /U"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /D"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /o"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /I"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /z"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /l"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /k"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /x"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /v"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /M"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Z"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /c"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /n"	kuorac.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	g6NuH2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /g"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /T"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /Y"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /K"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /N"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /s"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /X"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /B"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /A"	g6NuH2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /q"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /i"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /w"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /m"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /b"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /a"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /u"	kuorac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kuorac = "C:\\Users\\Admin\\kuorac.exe /R"	kuorac.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.execdhost.exe

description	pid	process	target process
PID 1460 set thread context of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 5104 set thread context of 4600	5104	cdhost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4360 2664 WerFault.exe bdhost.exe
1988 4600 WerFault.exe explorer.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2216 tasklist.exe
1108 tasklist.exe

pid	pid_target	process	target process
4360	2664	WerFault.exe	bdhost.exe
1988	4600	WerFault.exe	explorer.exe

pid	process
2216	tasklist.exe
1108	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

g6NuH2.exekuorac.exe

pid	process
4132	g6NuH2.exe
4132	g6NuH2.exe
4132	g6NuH2.exe
4132	g6NuH2.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe
2844	kuorac.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2216 tasklist.exe
Token: SeDebugPrivilege 1108 tasklist.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.exekuorac.exeddhost.exe

pid process

4764 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
4132 g6NuH2.exe
2844 kuorac.exe
2060 ddhost.exe

description	pid	process
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	1108	tasklist.exe

pid	process
4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
4132	g6NuH2.exe
2844	kuorac.exe
2060	ddhost.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exeg6NuH2.execmd.execdhost.execmd.exe

description	pid	process	target process
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 1460 wrote to memory of 4764	1460	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
PID 4764 wrote to memory of 4132	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 4764 wrote to memory of 4132	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 4764 wrote to memory of 4132	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	g6NuH2.exe
PID 4132 wrote to memory of 2844	4132	g6NuH2.exe	kuorac.exe
PID 4132 wrote to memory of 2844	4132	g6NuH2.exe	kuorac.exe
PID 4132 wrote to memory of 2844	4132	g6NuH2.exe	kuorac.exe
PID 4132 wrote to memory of 1828	4132	g6NuH2.exe	cmd.exe
PID 4132 wrote to memory of 1828	4132	g6NuH2.exe	cmd.exe
PID 4132 wrote to memory of 1828	4132	g6NuH2.exe	cmd.exe
PID 1828 wrote to memory of 2216	1828	cmd.exe	tasklist.exe
PID 1828 wrote to memory of 2216	1828	cmd.exe	tasklist.exe
PID 1828 wrote to memory of 2216	1828	cmd.exe	tasklist.exe
PID 4764 wrote to memory of 3388	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 4764 wrote to memory of 3388	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 4764 wrote to memory of 3388	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	adhost.exe
PID 4764 wrote to memory of 2664	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 4764 wrote to memory of 2664	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 4764 wrote to memory of 2664	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	bdhost.exe
PID 4764 wrote to memory of 5104	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cdhost.exe
PID 4764 wrote to memory of 5104	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cdhost.exe
PID 4764 wrote to memory of 5104	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cdhost.exe
PID 5104 wrote to memory of 4600	5104	cdhost.exe	explorer.exe
PID 5104 wrote to memory of 4600	5104	cdhost.exe	explorer.exe
PID 5104 wrote to memory of 4600	5104	cdhost.exe	explorer.exe
PID 4764 wrote to memory of 2060	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	ddhost.exe
PID 4764 wrote to memory of 2060	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	ddhost.exe
PID 4764 wrote to memory of 2060	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	ddhost.exe
PID 4764 wrote to memory of 4924	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cmd.exe
PID 4764 wrote to memory of 4924	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cmd.exe
PID 4764 wrote to memory of 4924	4764	810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe	cmd.exe
PID 4924 wrote to memory of 1108	4924	cmd.exe	tasklist.exe
PID 4924 wrote to memory of 1108	4924	cmd.exe	tasklist.exe
PID 4924 wrote to memory of 1108	4924	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
"C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\g6NuH2.exe
C:\Users\Admin\g6NuH2.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\kuorac.exe
"C:\Users\Admin\kuorac.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Users\Admin\adhost.exe
C:\Users\Admin\adhost.exe
3⤵
- Executes dropped EXE
PID:3388

C:\Users\Admin\bdhost.exe
C:\Users\Admin\bdhost.exe
3⤵
- Executes dropped EXE
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 344
4⤵
- Program crash
PID:4360

C:\Users\Admin\cdhost.exe
C:\Users\Admin\cdhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\explorer.exe
00000124*
4⤵
PID:4600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4600 -s 664
5⤵
- Program crash
PID:1988

C:\Users\Admin\ddhost.exe
C:\Users\Admin\ddhost.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 810dbe7f2e3d279f13e960dc3745fde7269e97d38cb8240da43cd1648fe12cc9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2664 -ip 2664
1⤵
PID:2288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4600 -ip 4600
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\adhost.exe

Filesize
172KB

MD5
36fa3dbb1702552896cc677b5bda52dc

SHA1
c87f2707913047dcd2a896896fe2905b08c33985

SHA256
e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74

SHA512
9ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\bdhost.exe

Filesize
174KB

MD5
f3e286f3fc9467d3b9e56d41038b17d5

SHA1
3653c381586b01016a56de58d59300e431368162

SHA256
ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f

SHA512
0ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d

Download Submit
C:\Users\Admin\cdhost.exe

Filesize
118KB

MD5
4abe6afa1ff995b70ef6511c1f0567ae

SHA1
80935a41582e0fb168c37d2960dce974cab5f0ab

SHA256
fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

SHA512
bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

Download Submit
C:\Users\Admin\cdhost.exe

Filesize
118KB

MD5
4abe6afa1ff995b70ef6511c1f0567ae

SHA1
80935a41582e0fb168c37d2960dce974cab5f0ab

SHA256
fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8

SHA512
bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565

Download Submit
C:\Users\Admin\ddhost.exe

Filesize
24KB

MD5
71aecf19a1aec54e3d2c63f945cc6956

SHA1
12213f95739e45881458a7bbb429a0b7b363ccbf

SHA256
c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

SHA512
a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

Download Submit
C:\Users\Admin\ddhost.exe

Filesize
24KB

MD5
71aecf19a1aec54e3d2c63f945cc6956

SHA1
12213f95739e45881458a7bbb429a0b7b363ccbf

SHA256
c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf

SHA512
a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\g6NuH2.exe

Filesize
256KB

MD5
be8379280ac23f08b8b091e1bc345eae

SHA1
bb432b69277aec39e5566ec120d6fd8fe4e0097b

SHA256
caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5

SHA512
d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215

Download Submit
C:\Users\Admin\kuorac.exe

Filesize
256KB

MD5
ba767bae1729cbe009182d83722e1382

SHA1
e80d02e376779bd54e5a75f4551e5df4e45ac61d

SHA256
bdfd2635fe984eb1a33f509d9d3d8fd77b455beaa4315b269e2bb13ae6da8dd8

SHA512
a1a5ba34f05897e3e49fb416a74a5e810c49836842bc3542684683cabc7b5b932cd02f71281644b09368c23e266bdec254b2afec671d4efc89998fa2aea119b4

Download Submit
C:\Users\Admin\kuorac.exe

Filesize
256KB

MD5
ba767bae1729cbe009182d83722e1382

SHA1
e80d02e376779bd54e5a75f4551e5df4e45ac61d

SHA256
bdfd2635fe984eb1a33f509d9d3d8fd77b455beaa4315b269e2bb13ae6da8dd8

SHA512
a1a5ba34f05897e3e49fb416a74a5e810c49836842bc3542684683cabc7b5b932cd02f71281644b09368c23e266bdec254b2afec671d4efc89998fa2aea119b4

Download Submit
memory/1108-178-0x0000000000000000-mapping.dmp

Download
memory/1828-152-0x0000000000000000-mapping.dmp

Download
memory/2060-171-0x0000000000000000-mapping.dmp

Download
memory/2216-153-0x0000000000000000-mapping.dmp

Download
memory/2664-158-0x0000000000000000-mapping.dmp

Download
memory/2844-147-0x0000000000000000-mapping.dmp

Download
memory/3388-154-0x0000000000000000-mapping.dmp

Download
memory/4132-142-0x0000000000000000-mapping.dmp

Download
memory/4600-167-0x0000000000000000-mapping.dmp

Download
memory/4600-170-0x0000000000E10000-0x0000000000E26000-memory.dmp

Filesize
88KB

Download
memory/4764-137-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-132-0x0000000000000000-mapping.dmp

Download
memory/4764-141-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-133-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-177-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-157-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4764-138-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4924-176-0x0000000000000000-mapping.dmp

Download
memory/5104-165-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-169-0x0000000000450000-0x000000000046B000-memory.dmp

Filesize
108KB

Download
memory/5104-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-166-0x0000000000450000-0x000000000046B000-memory.dmp

Filesize
108KB

Download
memory/5104-161-0x0000000000000000-mapping.dmp

Download