226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Size

390KB
MD5

b68133a1122e9a09dc4d8e44fab79854
SHA1

143be0b1ffca3bda45a97bd5a10442e28479f7ae
SHA256

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca
SHA512

8e29524275e07803979be45a84486ed21698cf0298d772ad3b67857653f638c83af71319b7543ab00a9016dd988fee4358372fa7d13874c355be066b6b16afcd
SSDEEP

6144:d8yv/rArj9vYljMNW30YGzFufPXK6j/URrlKRpYo80Vla6E:GMqj9wS3YG5uK4/p7y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

axfu.exeaxfu.exe

pid process

1812 axfu.exe
276 axfu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

680 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe

pid process

1916 226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe

pid	process
1812	axfu.exe
276	axfu.exe

pid	process
680	cmd.exe

pid	process
1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

axfu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yqurla = "C:\\Users\\Admin\\AppData\\Roaming\\Owbu\\axfu.exe"	axfu.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	axfu.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	axfu.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exeaxfu.exe

description	pid	process	target process
PID 1632 set thread context of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 set thread context of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1812 set thread context of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 set thread context of 276	1812	axfu.exe	axfu.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exeaxfu.exeaxfu.exe

pid	process
1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
1812	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe
276	axfu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exeaxfu.exe

description	pid	process
Token: SeDebugPrivilege	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Token: SeSecurityPrivilege	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Token: SeSecurityPrivilege	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
Token: SeDebugPrivilege	1812	axfu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exeaxfu.exe

description	pid	process	target process
PID 1632 wrote to memory of 724	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 724	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 724	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 724	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 1308	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 1308	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 1308	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 1308	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	CMD.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1380	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	AppLaunch.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1632 wrote to memory of 1916	1632	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
PID 1916 wrote to memory of 1812	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	axfu.exe
PID 1916 wrote to memory of 1812	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	axfu.exe
PID 1916 wrote to memory of 1812	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	axfu.exe
PID 1916 wrote to memory of 1812	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	axfu.exe
PID 1812 wrote to memory of 1344	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1344	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1344	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1344	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1356	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1356	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1356	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 1356	1812	axfu.exe	CMD.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 304	1812	axfu.exe	AppLaunch.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1812 wrote to memory of 276	1812	axfu.exe	axfu.exe
PID 1916 wrote to memory of 680	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	cmd.exe
PID 1916 wrote to memory of 680	1916	226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
"C:\Users\Admin\AppData\Local\Temp\226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:724

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
3⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe
"C:\Users\Admin\AppData\Local\Temp\226b047827bef9374f2a558579ad1c555178d1c6f91d4767cf0becda87a2d8ca.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe
"C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:1344

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
5⤵
PID:304

C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe
"C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa9151608.bat"
4⤵
- Deletes itself
PID:680

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
1KB

MD5
e8866d725021f499e976a858b36b16e0

SHA1
faf2edc4733e24711c30219a18d548e637a3a539

SHA256
6f963398ecbd90ca076430a8e250859c88b92b73f6f79bee081498b73510fcc8

SHA512
c0bdebc6be4656e204506904e43b5a6a618cda42a4c878d33f4d4cb3014784c53193b669e8e0a7bd64d2d4ec9b220aef55e7dfca7cf1814b974fe21f36a1ce1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_6CBB9466BA06F83E2C38480E2BC53BFA
Filesize
510B

MD5
379c28a0ce543675e18bfc0cb3337764

SHA1
d9f8c4449235a843fabc40ef9fe91424b50fc2b2

SHA256
8523d9783ba28ea3c8ea9b5924f69ee0c9e18d25ad45b49660600668e92657fd

SHA512
76b6f88a77097dd2019a826f56304ea957f1b6942ab88818f6a2bd45ad8372244ebbec08fd1147f2fc32352d981c0834e3ffc62bca83d5f5f4851bad902536a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a1053265a185d4ecf68f84cdbaf47b18

SHA1
2ac8b7c73b9a0496f5d95f7d82e303150d4d4836

SHA256
d13a2d5be1994f4b314ba0b81780f0fab2ae31bb986e5df69a4e47cd149fcdc9

SHA512
b35dca9596bb989ab22de486ebb4bcf989e5b136a6909a9893bfb1d48355a47782a268837540e26bee3434edc103764e57a664f026c31d9fe31a97bcb87c90b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
500B

MD5
f55e0aa771943f1222bcc4de4cae0c7c

SHA1
101be239a83a9f3de3836f42885a0ba56ece0b10

SHA256
8e38e9093617cda6be14005baa460aacc9538f9d8d630f967de77196ffb181f6

SHA512
c67d30a5b6de95e1e3665195b6bae87db4b92b7c760e0a5a91b954d67ddea1fad6ae26afed59cb730a0e083e76783db843a7f736b50c039b33a047d637179782

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_6CBB9466BA06F83E2C38480E2BC53BFA
Filesize
482B

MD5
bfe2eba579282e85523e37ffd1e472d4

SHA1
8d7c854f155c181c721d1007a731ac368ba0367b

SHA256
7f26e4998b4416a5a048078ce07313c093a1aa0809e45e651e695d6787e4f66a

SHA512
dbe67e6cb01653edcc873b769dbd8d868bc70cac7ad17fa66ce1d435b1126ae3a57e24f9f3e990df47c58c774c3dacf4f2cda1419acae09aa3a23bc21821c0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa9151608.bat
Filesize
307B

MD5
00b9c39d752a53bb9a9e760d90061196

SHA1
9584b025b0f43c8aa91ae805778a15fb2c0b7637

SHA256
ae86e11077e1637352ab89ff9c4820dd1aeefaa0f1aa23b2892894a5e2fd25fa

SHA512
53b543dc06fe335b957f8d976f99151662e81e8e12a32a95086caf3d62061680d4ddaa939a02590f38576a9b6989296bef75ed1cb3790bbdf3457f645d8af5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe
Filesize
390KB

MD5
f9970b20256ca78d4dfbafdfa40f54f9

SHA1
7cb68b3e8e5b06bc20b92a5b53a121b8101323e1

SHA256
cfb721a6e7a500e3aacf20d3de371dee9b452f15a7f24a33f81ff63cd9325506

SHA512
3ba1dfd6262e5a83c47b7e3ab17c98796d0d586d527f547376bb265284403b18a1df5a5b66d45f72cff42f32c9a4634038afb6d613359136ae8bd710d5b54d55

Download Submit
C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe
Filesize
390KB

MD5
f9970b20256ca78d4dfbafdfa40f54f9

SHA1
7cb68b3e8e5b06bc20b92a5b53a121b8101323e1

SHA256
cfb721a6e7a500e3aacf20d3de371dee9b452f15a7f24a33f81ff63cd9325506

SHA512
3ba1dfd6262e5a83c47b7e3ab17c98796d0d586d527f547376bb265284403b18a1df5a5b66d45f72cff42f32c9a4634038afb6d613359136ae8bd710d5b54d55

Download Submit
C:\Users\Admin\AppData\Roaming\Owbu\axfu.exe
Filesize
390KB

MD5
f9970b20256ca78d4dfbafdfa40f54f9

SHA1
7cb68b3e8e5b06bc20b92a5b53a121b8101323e1

SHA256
cfb721a6e7a500e3aacf20d3de371dee9b452f15a7f24a33f81ff63cd9325506

SHA512
3ba1dfd6262e5a83c47b7e3ab17c98796d0d586d527f547376bb265284403b18a1df5a5b66d45f72cff42f32c9a4634038afb6d613359136ae8bd710d5b54d55

Download Submit
\Users\Admin\AppData\Roaming\Owbu\axfu.exe
Filesize
390KB

MD5
f9970b20256ca78d4dfbafdfa40f54f9

SHA1
7cb68b3e8e5b06bc20b92a5b53a121b8101323e1

SHA256
cfb721a6e7a500e3aacf20d3de371dee9b452f15a7f24a33f81ff63cd9325506

SHA512
3ba1dfd6262e5a83c47b7e3ab17c98796d0d586d527f547376bb265284403b18a1df5a5b66d45f72cff42f32c9a4634038afb6d613359136ae8bd710d5b54d55

Download Submit
memory/276-133-0x000000000042B055-mapping.dmp

Download
memory/276-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/276-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/276-164-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/304-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/304-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/304-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/304-114-0x000000000042B055-mapping.dmp

Download
memory/680-138-0x0000000000000000-mapping.dmp

Download
memory/724-56-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x0000000000000000-mapping.dmp

Download
memory/1344-105-0x0000000000000000-mapping.dmp

Download
memory/1356-106-0x0000000000000000-mapping.dmp

Download
memory/1380-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-65-0x000000000042B055-mapping.dmp

Download
memory/1380-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-74-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1632-85-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1632-55-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-95-0x0000000000000000-mapping.dmp

Download
memory/1812-124-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1812-136-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1916-91-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-82-0x000000000042B055-mapping.dmp

Download