19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
Size

804KB
MD5

215a73694f6bf62eeb0914c9c7a9e14a
SHA1

6b10634feb8c3ecf7ea30e082611afc0d5f02507
SHA256

19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7
SHA512

7db0879b93987fbb94cc432900a30e42ed304cd172f96e78b629184c3378db17058f8adca5d3cb9b57c5273e59875753711326184c95c36b75c09e01a8fcc052
SSDEEP

24576:omOMSPEGXtj8ykbNp9njOjAjaeYfso5zOz8:GPvt29nbuegaz8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 15 IoCs

Processes:

svchos.exesvchos.EXEsvchos.eXepjqceo.exepjqceo.EXEpjqceo.eXesnifvm.exesnifvm.EXEsnifvm.eXekipgxl.exekipgxl.EXEkipgxl.eXetnnklr.exetnnklr.EXEtnnklr.eXe

pid	process
3508	svchos.exe
560	svchos.EXE
236	svchos.eXe
3408	pjqceo.exe
4688	pjqceo.EXE
3808	pjqceo.eXe
4972	snifvm.exe
4120	snifvm.EXE
1268	snifvm.eXe
3136	kipgxl.exe
4716	kipgxl.EXE
4524	kipgxl.eXe
4808	tnnklr.exe
2976	tnnklr.EXE
4508	tnnklr.eXe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iciciar = "C:\\WINDOWS\\svchos.exe"	reg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

snifvm.EXEkipgxl.EXEsvchos.EXEtnnklr.EXEpjqceo.EXE

description	ioc	process
File opened (read-only)	\??\U:	snifvm.EXE
File opened (read-only)	\??\Y:	snifvm.EXE
File opened (read-only)	\??\A:	kipgxl.EXE
File opened (read-only)	\??\Q:	svchos.EXE
File opened (read-only)	\??\S:	svchos.EXE
File opened (read-only)	\??\E:	snifvm.EXE
File opened (read-only)	\??\S:	snifvm.EXE
File opened (read-only)	\??\O:	kipgxl.EXE
File opened (read-only)	\??\N:	tnnklr.EXE
File opened (read-only)	\??\B:	pjqceo.EXE
File opened (read-only)	\??\B:	snifvm.EXE
File opened (read-only)	\??\K:	kipgxl.EXE
File opened (read-only)	\??\P:	svchos.EXE
File opened (read-only)	\??\X:	pjqceo.EXE
File opened (read-only)	\??\G:	kipgxl.EXE
File opened (read-only)	\??\V:	tnnklr.EXE
File opened (read-only)	\??\T:	svchos.EXE
File opened (read-only)	\??\U:	svchos.EXE
File opened (read-only)	\??\J:	snifvm.EXE
File opened (read-only)	\??\T:	snifvm.EXE
File opened (read-only)	\??\H:	svchos.EXE
File opened (read-only)	\??\J:	svchos.EXE
File opened (read-only)	\??\R:	svchos.EXE
File opened (read-only)	\??\J:	tnnklr.EXE
File opened (read-only)	\??\F:	kipgxl.EXE
File opened (read-only)	\??\W:	tnnklr.EXE
File opened (read-only)	\??\Z:	tnnklr.EXE
File opened (read-only)	\??\U:	pjqceo.EXE
File opened (read-only)	\??\N:	snifvm.EXE
File opened (read-only)	\??\O:	snifvm.EXE
File opened (read-only)	\??\U:	kipgxl.EXE
File opened (read-only)	\??\G:	svchos.EXE
File opened (read-only)	\??\X:	svchos.EXE
File opened (read-only)	\??\I:	pjqceo.EXE
File opened (read-only)	\??\Z:	snifvm.EXE
File opened (read-only)	\??\Z:	kipgxl.EXE
File opened (read-only)	\??\I:	tnnklr.EXE
File opened (read-only)	\??\P:	tnnklr.EXE
File opened (read-only)	\??\E:	pjqceo.EXE
File opened (read-only)	\??\Z:	pjqceo.EXE
File opened (read-only)	\??\L:	snifvm.EXE
File opened (read-only)	\??\F:	snifvm.EXE
File opened (read-only)	\??\G:	snifvm.EXE
File opened (read-only)	\??\X:	kipgxl.EXE
File opened (read-only)	\??\J:	pjqceo.EXE
File opened (read-only)	\??\K:	pjqceo.EXE
File opened (read-only)	\??\R:	pjqceo.EXE
File opened (read-only)	\??\A:	svchos.EXE
File opened (read-only)	\??\A:	pjqceo.EXE
File opened (read-only)	\??\H:	snifvm.EXE
File opened (read-only)	\??\L:	svchos.EXE
File opened (read-only)	\??\M:	svchos.EXE
File opened (read-only)	\??\V:	svchos.EXE
File opened (read-only)	\??\E:	kipgxl.EXE
File opened (read-only)	\??\I:	kipgxl.EXE
File opened (read-only)	\??\M:	tnnklr.EXE
File opened (read-only)	\??\Z:	svchos.EXE
File opened (read-only)	\??\F:	pjqceo.EXE
File opened (read-only)	\??\Y:	pjqceo.EXE
File opened (read-only)	\??\X:	tnnklr.EXE
File opened (read-only)	\??\W:	svchos.EXE
File opened (read-only)	\??\O:	pjqceo.EXE
File opened (read-only)	\??\L:	tnnklr.EXE
File opened (read-only)	\??\B:	svchos.EXE

Drops file in System32 directory 18 IoCs

Processes:

svchos.eXepjqceo.exekipgxl.eXetnnklr.EXEtnnklr.exetnnklr.eXepjqceo.eXesnifvm.exesnifvm.eXekipgxl.EXEpjqceo.EXEsnifvm.EXEkipgxl.exe

description	ioc	process
File created	C:\Windows\SysWOW64\pjqceo.exe	svchos.eXe
File opened for modification	C:\Windows\SysWOW64\pjqceo.EXE	pjqceo.exe
File opened for modification	C:\Windows\SysWOW64\tnnklr.exe	kipgxl.eXe
File opened for modification	C:\Windows\SysWOW64\tnnklr.eXe	tnnklr.EXE
File opened for modification	C:\Windows\SysWOW64\pjqceo.exe	svchos.eXe
File created	C:\Windows\SysWOW64\tnnklr.exe	kipgxl.eXe
File opened for modification	C:\Windows\SysWOW64\tnnklr.EXE	tnnklr.exe
File created	C:\Windows\SysWOW64\twphdj.exe	tnnklr.eXe
File opened for modification	C:\Windows\SysWOW64\snifvm.exe	pjqceo.eXe
File opened for modification	C:\Windows\SysWOW64\snifvm.EXE	snifvm.exe
File opened for modification	C:\Windows\SysWOW64\kipgxl.exe	snifvm.eXe
File opened for modification	C:\Windows\SysWOW64\kipgxl.eXe	kipgxl.EXE
File opened for modification	C:\Windows\SysWOW64\pjqceo.eXe	pjqceo.EXE
File created	C:\Windows\SysWOW64\snifvm.exe	pjqceo.eXe
File opened for modification	C:\Windows\SysWOW64\snifvm.eXe	snifvm.EXE
File created	C:\Windows\SysWOW64\kipgxl.exe	snifvm.eXe
File opened for modification	C:\Windows\SysWOW64\kipgxl.EXE	kipgxl.exe
File opened for modification	C:\Windows\SysWOW64\twphdj.exe	tnnklr.eXe

Suspicious use of SetThreadContext 10 IoCs

Processes:

svchos.exesvchos.EXEpjqceo.exepjqceo.EXEsnifvm.exesnifvm.EXEkipgxl.exekipgxl.EXEtnnklr.exetnnklr.EXE

description	pid	process	target process
PID 3508 set thread context of 560	3508	svchos.exe	svchos.EXE
PID 560 set thread context of 236	560	svchos.EXE	svchos.eXe
PID 3408 set thread context of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 4688 set thread context of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4972 set thread context of 4120	4972	snifvm.exe	snifvm.EXE
PID 4120 set thread context of 1268	4120	snifvm.EXE	snifvm.eXe
PID 3136 set thread context of 4716	3136	kipgxl.exe	kipgxl.EXE
PID 4716 set thread context of 4524	4716	kipgxl.EXE	kipgxl.eXe
PID 4808 set thread context of 2976	4808	tnnklr.exe	tnnklr.EXE
PID 2976 set thread context of 4508	2976	tnnklr.EXE	tnnklr.eXe

Drops file in Windows directory 9 IoCs

Processes:

svchos.EXE19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exesvchos.exe

description	ioc	process
File opened for modification	C:\WINDOWS\svchos.eXe	svchos.EXE
File created	C:\Windows\Formulario de trabajo.rtf	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File opened for modification	C:\Windows\Formulario de trabajo.rtf	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File created	C:\Windows\svchos.exe	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File opened for modification	C:\Windows\svchos.exe	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File created	C:\Windows\bat.bat	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File opened for modification	C:\Windows\bat.bat	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240553546	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
File opened for modification	C:\WINDOWS\svchos.EXE	svchos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchos.EXEpjqceo.EXEsnifvm.EXEkipgxl.EXE

description	pid	process
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	560	svchos.EXE
Token: SeCreatePagefilePrivilege	560	svchos.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4688	pjqceo.EXE
Token: SeCreatePagefilePrivilege	4688	pjqceo.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4120	snifvm.EXE
Token: SeCreatePagefilePrivilege	4120	snifvm.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE
Token: SeShutdownPrivilege	4716	kipgxl.EXE
Token: SeCreatePagefilePrivilege	4716	kipgxl.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

svchos.exesvchos.EXEpjqceo.exepjqceo.EXEsnifvm.exesnifvm.EXEkipgxl.exekipgxl.EXEtnnklr.exetnnklr.EXE

pid	process
3508	svchos.exe
560	svchos.EXE
3408	pjqceo.exe
4688	pjqceo.EXE
4972	snifvm.exe
4120	snifvm.EXE
3136	kipgxl.exe
4716	kipgxl.EXE
4808	tnnklr.exe
2976	tnnklr.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.execmd.exesvchos.exesvchos.EXEsvchos.eXepjqceo.exepjqceo.EXEpjqceo.eXesnifvm.exesnifvm.EXE

description	pid	process	target process
PID 3548 wrote to memory of 3508	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	svchos.exe
PID 3548 wrote to memory of 3508	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	svchos.exe
PID 3548 wrote to memory of 3508	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	svchos.exe
PID 3548 wrote to memory of 2112	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	cmd.exe
PID 3548 wrote to memory of 2112	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	cmd.exe
PID 3548 wrote to memory of 2112	3548	19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe	cmd.exe
PID 2112 wrote to memory of 4768	2112	cmd.exe	reg.exe
PID 2112 wrote to memory of 4768	2112	cmd.exe	reg.exe
PID 2112 wrote to memory of 4768	2112	cmd.exe	reg.exe
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 3508 wrote to memory of 560	3508	svchos.exe	svchos.EXE
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 560 wrote to memory of 236	560	svchos.EXE	svchos.eXe
PID 236 wrote to memory of 3408	236	svchos.eXe	pjqceo.exe
PID 236 wrote to memory of 3408	236	svchos.eXe	pjqceo.exe
PID 236 wrote to memory of 3408	236	svchos.eXe	pjqceo.exe
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 3408 wrote to memory of 4688	3408	pjqceo.exe	pjqceo.EXE
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 4688 wrote to memory of 3808	4688	pjqceo.EXE	pjqceo.eXe
PID 3808 wrote to memory of 4972	3808	pjqceo.eXe	snifvm.exe
PID 3808 wrote to memory of 4972	3808	pjqceo.eXe	snifvm.exe
PID 3808 wrote to memory of 4972	3808	pjqceo.eXe	snifvm.exe
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4972 wrote to memory of 4120	4972	snifvm.exe	snifvm.EXE
PID 4120 wrote to memory of 1268	4120	snifvm.EXE	snifvm.eXe
PID 4120 wrote to memory of 1268	4120	snifvm.EXE	snifvm.eXe
PID 4120 wrote to memory of 1268	4120	snifvm.EXE	snifvm.eXe
PID 4120 wrote to memory of 1268	4120	snifvm.EXE	snifvm.eXe
PID 4120 wrote to memory of 1268	4120	snifvm.EXE	snifvm.eXe

C:\Users\Admin\AppData\Local\Temp\19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe
"C:\Users\Admin\AppData\Local\Temp\19edce478b816ebfcb1bb24e17caa7038441a54ce5ffc69252906434be7804f7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3548

C:\WINDOWS\svchos.exe
"C:\WINDOWS\svchos.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508

C:\WINDOWS\svchos.EXE
"C:\WINDOWS\svchos.EXE"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\WINDOWS\svchos.eXe
"C:\WINDOWS\svchos.eXe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\SysWOW64\pjqceo.exe
C:\Windows\system32\pjqceo.exe 1124 "C:\WINDOWS\svchos.eXe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\pjqceo.EXE
"C:\Windows\SysWOW64\pjqceo.EXE"
6⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\pjqceo.eXe
"C:\Windows\SysWOW64\pjqceo.eXe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\snifvm.exe
C:\Windows\system32\snifvm.exe 1076 "C:\Windows\SysWOW64\pjqceo.eXe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\snifvm.EXE
"C:\Windows\SysWOW64\snifvm.EXE"
9⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\snifvm.eXe
"C:\Windows\SysWOW64\snifvm.eXe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268

C:\Windows\SysWOW64\kipgxl.exe
C:\Windows\system32\kipgxl.exe 988 "C:\Windows\SysWOW64\snifvm.eXe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Windows\SysWOW64\kipgxl.EXE
"C:\Windows\SysWOW64\kipgxl.EXE"
12⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\kipgxl.eXe
"C:\Windows\SysWOW64\kipgxl.eXe"
13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4524

C:\Windows\SysWOW64\tnnklr.exe
C:\Windows\system32\tnnklr.exe 1120 "C:\Windows\SysWOW64\kipgxl.eXe"
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\SysWOW64\tnnklr.EXE
"C:\Windows\SysWOW64\tnnklr.EXE"
15⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\tnnklr.eXe
"C:\Windows\SysWOW64\tnnklr.eXe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\bat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v iciciar /t REG_SZ /d "C:\WINDOWS\svchos.exe"
3⤵
- Adds Run key to start application
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\bat.bat
Filesize
119B

MD5
bdcbf0f31339bcccd2efb2b0a7fd8d8b

SHA1
d398cfa675f8ccc5eac9080a9b116345b065c83e

SHA256
b8021f4bd6092e780e5677b1e269ffce9cf0b5926b86c3b5711601dc125c5e8b

SHA512
f3ec0b35a6399394b780809ade68515a1cee946e0bb4bc612be3122f3ffe1d409cf68cb56bf441aa299fb6dbdd1c85b5ea1e6b1449c20ac8039f81dd29bea385

Download Submit
C:\WINDOWS\svchos.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\kipgxl.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\kipgxl.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\kipgxl.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\kipgxl.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\pjqceo.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\pjqceo.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\pjqceo.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\pjqceo.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\snifvm.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\snifvm.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\snifvm.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\snifvm.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\tnnklr.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\tnnklr.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\tnnklr.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\SysWOW64\tnnklr.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\svchos.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\svchos.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
C:\Windows\svchos.exe
Filesize
1.2MB

MD5
945ec24fdec768c77fbb26388c1985fb

SHA1
22849e8a0eb8866834df811631a298b3bbda88e7

SHA256
debe51920fbd7fd212472bb14ccafdd214aae95f49275f2b1e901d40421c453e

SHA512
245a9967ffbf1589181d6f5847d6744a6377e7f53ea5f0136ef2b28271b5b297215343a184f5214bb55c0da5c10fccb6029a7a491c491c0e87b54d0d5b1eefc1

Download Submit
memory/236-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/236-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/236-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/236-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/236-147-0x0000000000000000-mapping.dmp

Download
memory/560-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/560-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/560-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/560-140-0x0000000000000000-mapping.dmp

Download
memory/1268-193-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-185-0x0000000000000000-mapping.dmp

Download
memory/2112-135-0x0000000000000000-mapping.dmp

Download
memory/2976-227-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-215-0x0000000000000000-mapping.dmp

Download
memory/2976-221-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3136-191-0x0000000000000000-mapping.dmp

Download
memory/3408-154-0x0000000000000000-mapping.dmp

Download
memory/3508-132-0x0000000000000000-mapping.dmp

Download
memory/3808-173-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3808-167-0x0000000000000000-mapping.dmp

Download
memory/4120-179-0x0000000000000000-mapping.dmp

Download
memory/4120-190-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4508-228-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4508-222-0x0000000000000000-mapping.dmp

Download
memory/4524-209-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4524-203-0x0000000000000000-mapping.dmp

Download
memory/4688-166-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4688-172-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4688-160-0x0000000000000000-mapping.dmp

Download
memory/4716-208-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4716-197-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x0000000000000000-mapping.dmp

Download
memory/4808-210-0x0000000000000000-mapping.dmp

Download
memory/4972-174-0x0000000000000000-mapping.dmp

Download