4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af

Analysis

max time kernel
253s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe
Size

817KB
MD5

6550afacc9073740b683222981b693b3
SHA1

f62fdcdeb5e791157c1471e9694e8c8173abeafe
SHA256

4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af
SHA512

f2e1be19ee9897a677db84cef6be86bfc078979f1faec9efe996bc8c999d01991d2e3ea1dfd04303b03080757b37d50ff950831f21e9270e7a7b4339bdae4b1c
SSDEEP

24576:iFszWS5ZOKpLURv9Ss8yuUBYxbTGFL0RHSiCh7AmxH2:ibKZ0v9mcp6g2

Score

9^/10

aspackv2 persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\stxoDx.dll	acprotect

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CDClient.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\CDClient.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\DF2701\ppsrJCJ.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\DF2701\ppsrJCJ.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\DF2701\rDFyyIw.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\DF2701\rDFyyIw.dll	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

CDClient.exe

pid process

3512 CDClient.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CDClient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CDClient64.sys\ImagePath = "\\??\\C:\\Windows\\CDClient64.sys"	CDClient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\stxoDx.dll	upx
behavioral2/memory/3512-147-0x0000000071590000-0x00000000715B3000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe

Loads dropped DLL 5 IoCs

Processes:

CDClient.exe

pid process

3512 CDClient.exe
3512 CDClient.exe
3512 CDClient.exe
3512 CDClient.exe
3512 CDClient.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 4 IoCs

Processes:

CDClient.exe

description	ioc	process
File created	C:\Windows\SysWOW64\stxoDx.dll	CDClient.exe
File created	C:\Windows\SysWOW64\820D1.dat	CDClient.exe
File created	C:\Windows\SysWOW64\092708.bat	CDClient.exe
File created	C:\Windows\SysWOW64\092732.bat	CDClient.exe

Drops file in Windows directory 1 IoCs

Processes:

CDClient.exe

description ioc process

File created C:\Windows\CDClient64.sys CDClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CDClient64.sys	CDClient.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXECDClient.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\so.com\Total = "26"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions	CDClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	CDClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998905"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9150AD1C-6D6C-11ED-BF5F-5EDCA19B148A} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1746548340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998905"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\so.com	IEXPLORE.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	CDClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1746548340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1748891436"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}	CDClient.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	CDClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998905"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.so.com\ = "26"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\so.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "26"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}	CDClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998905"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1748891436"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\so.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.so.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

CDClient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	CDClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.sogou.com/index.htm?pid=sogou-netb-5ac8bb8a7d745102-0001"	CDClient.exe

Modifies registry class 7 IoCs

Processes:

CDClient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	CDClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	CDClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CDClient.exe

pid	process
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe
3512	CDClient.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

CDClient.exe

pid process

3512 CDClient.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

CDClient.exe

description	pid	process
Token: SeDebugPrivilege	3512	CDClient.exe
Token: SeLoadDriverPrivilege	3512	CDClient.exe
Token: 33	3512	CDClient.exe
Token: SeIncBasePriorityPrivilege	3512	CDClient.exe
Token: 33	3512	CDClient.exe
Token: SeIncBasePriorityPrivilege	3512	CDClient.exe
Token: 33	3512	CDClient.exe
Token: SeIncBasePriorityPrivilege	3512	CDClient.exe
Token: 33	3512	CDClient.exe
Token: SeIncBasePriorityPrivilege	3512	CDClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2960 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

CDClient.exeIEXPLORE.EXEIEXPLORE.EXE

pid process

3512 CDClient.exe
3512 CDClient.exe
2960 IEXPLORE.EXE
2960 IEXPLORE.EXE
3340 IEXPLORE.EXE
3340 IEXPLORE.EXE
3340 IEXPLORE.EXE
3340 IEXPLORE.EXE

pid	process
2960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exeCDClient.execmd.exe

description	pid	process	target process
PID 3756 wrote to memory of 3512	3756	4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe	CDClient.exe
PID 3756 wrote to memory of 3512	3756	4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe	CDClient.exe
PID 3756 wrote to memory of 3512	3756	4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe	CDClient.exe
PID 3512 wrote to memory of 2696	3512	CDClient.exe	cmd.exe
PID 3512 wrote to memory of 2696	3512	CDClient.exe	cmd.exe
PID 3512 wrote to memory of 2696	3512	CDClient.exe	cmd.exe
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 2696 wrote to memory of 956	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 956	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 956	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4044	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4044	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4044	2696	cmd.exe	cmd.exe
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE
PID 3512 wrote to memory of 2532	3512	CDClient.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2532
- C:\Users\Admin\AppData\Local\Temp\4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe
  "C:\Users\Admin\AppData\Local\Temp\4a3faf2f6568815ef1c98e3c7ae8f30fa595748ee89ab95bf391c55c9d02f7af.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\CDClient.exe
    "C:\Users\Admin\AppData\Local\Temp\CDClient.exe"
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\092708.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
        5⤵
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
        5⤵
        
        PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\092732.bat
      4⤵
      PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
        5⤵
        
        PID:3144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
        5⤵
        
        PID:1820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      http://www.so.com
      4⤵
      PID:4004
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.so.com
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2960
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
246B

MD5
11b35e403fbca63bec01e1e6cd973493

SHA1
1d64e36ebe3f65cc03299da29a3085267ecdb312

SHA256
665a8119baf12b5ba87d989eefbe9f2e3eff7cac2af0cd55ddd175cb736cdcad

SHA512
ded6c259ad7fb086c4efdd0d70bd88ea70f5fa9a1930a0e97d060644f3ff4e5e8a1fd1822599f40b032503482d69734be004d1e10f6b381077a2c29ca28bc206

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDClient.exe

Filesize
726KB

MD5
7fc1aea7e0dfbcc01a66d71d40361526

SHA1
59e013d6e8057040617863fa8e608c06aa2a89db

SHA256
de887f3306edd61d58683e294b807812080099d8c6d16fc63fcae06f13f5403f

SHA512
d02821910683489d65ab9f267cb7a9d8dada96b930d40f1e5072681c2b3b7db56f539d0376027d073a8712f36d9e15a55cf7518bba3f10df171dfb559d42afa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDClient.exe

Filesize
726KB

MD5
7fc1aea7e0dfbcc01a66d71d40361526

SHA1
59e013d6e8057040617863fa8e608c06aa2a89db

SHA256
de887f3306edd61d58683e294b807812080099d8c6d16fc63fcae06f13f5403f

SHA512
d02821910683489d65ab9f267cb7a9d8dada96b930d40f1e5072681c2b3b7db56f539d0376027d073a8712f36d9e15a55cf7518bba3f10df171dfb559d42afa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2701\ppsrJCJ.dll

Filesize
594KB

MD5
4b236ba3d674066e792a9d51700a3ce9

SHA1
079cded909cfe7d7c73a39d22e514f8af060a1ed

SHA256
eae10dd2beca649bbfd1c8f41028fb24eaa2e7406ba4aca9e93c7e7791bd31de

SHA512
0c7685b1063d0556bb1b6a29d9ce1b2d92fdce50c1b690d48e9528791a1bc3e83c79258e12a1c1a5412bd21dd2bb0fc9de991ae2de831bdde08bf3c1f5d29a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2701\ppsrJCJ.dll

Filesize
594KB

MD5
4b236ba3d674066e792a9d51700a3ce9

SHA1
079cded909cfe7d7c73a39d22e514f8af060a1ed

SHA256
eae10dd2beca649bbfd1c8f41028fb24eaa2e7406ba4aca9e93c7e7791bd31de

SHA512
0c7685b1063d0556bb1b6a29d9ce1b2d92fdce50c1b690d48e9528791a1bc3e83c79258e12a1c1a5412bd21dd2bb0fc9de991ae2de831bdde08bf3c1f5d29a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2701\rDFyyIw.dll

Filesize
545KB

MD5
cb2bef431de55af9a7a89e34685f11d2

SHA1
7dd2bad9c51428b078f2652020de7b16bd8863eb

SHA256
961cdf8d6e7a4328637ff7626aec0961bb383d4aa0af28517661ac54a4db85fa

SHA512
178ea54e4cd120a95900eacf56b0da294690d635f0c063d2565d81fdfac1040b1b44d1c66df39e45d57678e9a979b2e59f62c76f0be31c30e06d11e102c82b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF2701\rDFyyIw.dll

Filesize
545KB

MD5
cb2bef431de55af9a7a89e34685f11d2

SHA1
7dd2bad9c51428b078f2652020de7b16bd8863eb

SHA256
961cdf8d6e7a4328637ff7626aec0961bb383d4aa0af28517661ac54a4db85fa

SHA512
178ea54e4cd120a95900eacf56b0da294690d635f0c063d2565d81fdfac1040b1b44d1c66df39e45d57678e9a979b2e59f62c76f0be31c30e06d11e102c82b4c

Download Submit
C:\Windows\SysWOW64\092708.bat

Filesize
5KB

MD5
ad0d80bf6b4292dbada25f7f8fd6556c

SHA1
40133d1dea9905bf406fb88efcb57cd693e6cf43

SHA256
081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

SHA512
76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

Download Submit
C:\Windows\SysWOW64\092732.bat

Filesize
5KB

MD5
ad0d80bf6b4292dbada25f7f8fd6556c

SHA1
40133d1dea9905bf406fb88efcb57cd693e6cf43

SHA256
081f45a04b555b2406e5b63afbcdba4e564c3157e7d3720d21e8f53d2127bae1

SHA512
76eaacabecaaed7b4eb53fbc5db4d53b15ccdbe6526119346dc444e932cc1ebfffb74b0df3f54c85168d72082f9017802e9775bc178a58fcac0ab3c1ddb519cb

Download Submit
C:\Windows\SysWOW64\stxoDx.dll

Filesize
63KB

MD5
fd8d4e1d20d085593e26e4fb879aac1f

SHA1
dd233f681bd4807851963736fe4554e152d06793

SHA256
39c865da0e189d296eae8838d9240aefadfd63507b070fa0e6803910a51202f3

SHA512
dee6185217cf4b9bfc1fb526ec365de67294f8ddeea95eaa5f72628731b52136cc2fa703a84cf35a22a32b870bbeb1f068192336474880c03c879380e7eac317

Download Submit
memory/956-141-0x0000000000000000-mapping.dmp

Download
memory/1820-148-0x0000000000000000-mapping.dmp

Download
memory/2696-139-0x0000000000000000-mapping.dmp

Download
memory/3144-146-0x0000000000000000-mapping.dmp

Download
memory/3512-132-0x0000000000000000-mapping.dmp

Download
memory/3512-147-0x0000000071590000-0x00000000715B3000-memory.dmp

Filesize
140KB

Download
memory/3984-143-0x0000000000000000-mapping.dmp

Download
memory/4044-142-0x0000000000000000-mapping.dmp

Download