5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Size

377KB
MD5

dd5740ab02491ee1d9a7a1203f37cdd7
SHA1

3cf89c9b5a7ccc00be23e0abbf9626d78c838d43
SHA256

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62
SHA512

2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9
SSDEEP

6144:FKz+Bna2+vRSPFt2XkcXaiV11zGommV1MAP1KY+g6gPeTbUNRsWebimiFRl:F0yadRSNt2XkWai31zGYZb+g6UCbUNRF

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 9 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
564	services.exe
1536	services.exe
1828	services.exe
1608	services.exe
1604	services.exe
1704	services.exe
1916	services.exe
1080	services.exe
920	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-76-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral1/memory/1704-79-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral1/memory/1704-81-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral1/memory/1704-86-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral1/memory/1704-87-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral1/memory/1704-88-0x0000000001610000-0x0000000001705000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

svchost.exe5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

pid process

592 svchost.exe
592 svchost.exe
992 5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

pid	process
592	svchost.exe
592	svchost.exe
992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeservices.exe5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exeservices.exeservices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services.exe

description pid process target process

PID 1536 set thread context of 1704 1536 services.exe services.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exeservices.exeservices.exeservices.exe

pid process

992 5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
564 services.exe
1536 services.exe
1704 services.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exeservices.exe

pid process

992 5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
1704 services.exe

description	pid	process	target process
PID 1536 set thread context of 1704	1536	services.exe	services.exe

pid	process
992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
564	services.exe
1536	services.exe
1704	services.exe

pid	process
992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
1704	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exesvchost.exeservices.exeservices.exe

description	pid	process	target process
PID 992 wrote to memory of 592	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 992 wrote to memory of 592	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 992 wrote to memory of 592	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 992 wrote to memory of 592	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 992 wrote to memory of 592	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 992 wrote to memory of 1624	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1624	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1624	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1624	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 816	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 816	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 816	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 816	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1328	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1328	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1328	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1328	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 876	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 876	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 876	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 876	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1344	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1344	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1344	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1344	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1236	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1236	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1236	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1236	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 108	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 108	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 108	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 108	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 592 wrote to memory of 564	592	svchost.exe	services.exe
PID 592 wrote to memory of 564	592	svchost.exe	services.exe
PID 592 wrote to memory of 564	592	svchost.exe	services.exe
PID 592 wrote to memory of 564	592	svchost.exe	services.exe
PID 992 wrote to memory of 1052	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1052	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1052	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 992 wrote to memory of 1052	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 564 wrote to memory of 1828	564	services.exe	services.exe
PID 564 wrote to memory of 1828	564	services.exe	services.exe
PID 564 wrote to memory of 1828	564	services.exe	services.exe
PID 564 wrote to memory of 1828	564	services.exe	services.exe
PID 992 wrote to memory of 1536	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 992 wrote to memory of 1536	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 992 wrote to memory of 1536	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 992 wrote to memory of 1536	992	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 564 wrote to memory of 1608	564	services.exe	services.exe
PID 564 wrote to memory of 1608	564	services.exe	services.exe
PID 564 wrote to memory of 1608	564	services.exe	services.exe
PID 564 wrote to memory of 1608	564	services.exe	services.exe
PID 564 wrote to memory of 1604	564	services.exe	services.exe
PID 564 wrote to memory of 1604	564	services.exe	services.exe
PID 564 wrote to memory of 1604	564	services.exe	services.exe
PID 564 wrote to memory of 1604	564	services.exe	services.exe
PID 1536 wrote to memory of 1704	1536	services.exe	services.exe
PID 1536 wrote to memory of 1704	1536	services.exe	services.exe
PID 1536 wrote to memory of 1704	1536	services.exe	services.exe
PID 1536 wrote to memory of 1704	1536	services.exe	services.exe
PID 564 wrote to memory of 1916	564	services.exe	services.exe
PID 564 wrote to memory of 1916	564	services.exe	services.exe
PID 564 wrote to memory of 1916	564	services.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
"C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Roaming\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Windows\services.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:1828

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
4⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:1052

C:\Users\Admin\AppData\Roaming\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.dat
Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.nfo
Filesize
3KB

MD5
35d9c64937aa6ee34dba886e93ec7321

SHA1
3eb12cb1e6564087b1d4c4e4e75dbba1f3341285

SHA256
ce8b9983b00c9b545d45c26cc8f95c70b555a439b8887ba9b6fa2183b0ccc91d

SHA512
8a0da28b99d3aadb1239bb1ba7db7e307c11ba8479a917b779dc0453d1cd688e91dfc17631126c78659a67ebfd490aebb6ddeb0a2cf9e1ec11af8c7362ad5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.nfo
Filesize
3KB

MD5
35d9c64937aa6ee34dba886e93ec7321

SHA1
3eb12cb1e6564087b1d4c4e4e75dbba1f3341285

SHA256
ce8b9983b00c9b545d45c26cc8f95c70b555a439b8887ba9b6fa2183b0ccc91d

SHA512
8a0da28b99d3aadb1239bb1ba7db7e307c11ba8479a917b779dc0453d1cd688e91dfc17631126c78659a67ebfd490aebb6ddeb0a2cf9e1ec11af8c7362ad5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.svr
Filesize
330KB

MD5
ea2c6fad52ade2fcda8c4d22d1a2e0fe

SHA1
ad732a24b320a78192c1d4de3a0becb303998156

SHA256
8485f454420e4dd1ad128749decb77dd0da078a6351eb7755b46944a6a0364b5

SHA512
57e98dca09b07ee80dc776a9526d29756dc7e8fd10bf7d5f1e44ab8c15a02541c46a4311d14dedc54266506a6cf795c9376e3017d3e77b3e2f56c465978df7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
memory/564-63-0x0000000000000000-mapping.dmp

Download
memory/592-57-0x0000000000000000-mapping.dmp

Download
memory/592-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/592-60-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/1536-68-0x0000000000000000-mapping.dmp

Download
memory/1704-76-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-87-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-88-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-75-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-86-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-79-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-93-0x0000000001611000-0x00000000016B2000-memory.dmp

Filesize
644KB

Download
memory/1704-92-0x00000000016B2000-0x0000000001704000-memory.dmp

Filesize
328KB

Download
memory/1704-83-0x0000000001703190-mapping.dmp

Download
memory/1704-81-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/1704-96-0x00000000016B2000-0x0000000001704000-memory.dmp

Filesize
328KB

Download