f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d

Analysis

max time kernel
191s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
Size

208KB
MD5

10aadf6c6721c783ffe5334edfc55a10
SHA1

60e62a4752122356b8a186b4759d41e62eb67c07
SHA256

f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d
SHA512

46315187f0cd0591508469c163ab91a58207df5317d2368a755ae214e6bf252f1e585e1024c16e6941ee1b4bc09b826c7416df309bedf8c847b2712d4a2f5aba
SSDEEP

3072:oLQaL9tbLkRIgd1Lye9yjE2hWAN5XbFlFNL+LPfm4pLthEjQT6j:MlZtbLWIgd1LZ9oECZbFlFJ+LPOkEj1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
292	MPTIOI.exe
620	CVLE.exe
1528	KNSAGKE.exe
1748	DDRPBBK.exe
676	SNHNXII.exe

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KNSAGKE.exe	KNSAGKE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KNSAGKE.exe	KNSAGKE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MPTIOI.exe	MPTIOI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CVLE.exe	CVLE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CVLE.exe	CVLE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDRPBBK.exe	DDRPBBK.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MPTIOI.exe	MPTIOI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDRPBBK.exe	DDRPBBK.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SNHNXII.exe	SNHNXII.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SNHNXII.exe	SNHNXII.exe

Loads dropped DLL 10 IoCs

pid	Process
1044	cmd.exe
1044	cmd.exe
880	cmd.exe
880	cmd.exe
944	cmd.exe
944	cmd.exe
1596	cmd.exe
1596	cmd.exe
820	cmd.exe
820	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\8014777a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe"	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c3d3e87c = "C:\\windows\\system\\DDRPBBK.exe"	DDRPBBK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bb667954 = "C:\\windows\\SysWOW64\\KNSAGKE.exe"	KNSAGKE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\bb667954 = "C:\\windows\\SysWOW64\\KNSAGKE.exe"	KNSAGKE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\3887fdfd = "C:\\windows\\SysWOW64\\SNHNXII.exe"	SNHNXII.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8014777a = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe"	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\62f37843 = "C:\\windows\\system\\MPTIOI.exe"	MPTIOI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\62f37843 = "C:\\windows\\system\\MPTIOI.exe"	MPTIOI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ec964a40 = "C:\\windows\\SysWOW64\\CVLE.exe"	CVLE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec964a40 = "C:\\windows\\SysWOW64\\CVLE.exe"	CVLE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\c3d3e87c = "C:\\windows\\system\\DDRPBBK.exe"	DDRPBBK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3887fdfd = "C:\\windows\\SysWOW64\\SNHNXII.exe"	SNHNXII.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\KNSAGKE.exe	CVLE.exe
File created	C:\windows\SysWOW64\SNHNXII.exe.bat	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\SysWOW64\KNSAGKE.exe.bat	CVLE.exe
File created	C:\windows\SysWOW64\CVLE.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\SysWOW64\SNHNXII.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\SysWOW64\KNSAGKE.exe	CVLE.exe
File opened for modification	C:\windows\SysWOW64\SNHNXII.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File opened for modification	C:\windows\SysWOW64\CVLE.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\SysWOW64\CVLE.exe.bat	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\windows\system\MPTIOI.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File opened for modification	C:\windows\system\DDRPBBK.exe	MPTIOI.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\windows\system\MPTIOI.exe	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\system\MPTIOI.exe.bat	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
File created	C:\windows\system\DDRPBBK.exe	MPTIOI.exe
File created	C:\windows\system\DDRPBBK.exe.bat	MPTIOI.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
620	CVLE.exe
292	MPTIOI.exe
292	MPTIOI.exe
292	MPTIOI.exe
620	CVLE.exe
620	CVLE.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
1748	DDRPBBK.exe
1748	DDRPBBK.exe
620	CVLE.exe
620	CVLE.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
1748	DDRPBBK.exe
1748	DDRPBBK.exe
620	CVLE.exe
620	CVLE.exe
1528	KNSAGKE.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
676	SNHNXII.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
292	MPTIOI.exe
1748	DDRPBBK.exe
620	CVLE.exe
1748	DDRPBBK.exe
620	CVLE.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
676	SNHNXII.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
676	SNHNXII.exe
1528	KNSAGKE.exe
1528	KNSAGKE.exe
292	MPTIOI.exe
292	MPTIOI.exe
1748	DDRPBBK.exe
1748	DDRPBBK.exe
620	CVLE.exe
1528	KNSAGKE.exe
620	CVLE.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
676	SNHNXII.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
676	SNHNXII.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
1528	KNSAGKE.exe
1748	DDRPBBK.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
292	MPTIOI.exe
292	MPTIOI.exe
620	CVLE.exe
620	CVLE.exe
1748	DDRPBBK.exe
1748	DDRPBBK.exe
1528	KNSAGKE.exe
1528	KNSAGKE.exe
676	SNHNXII.exe
676	SNHNXII.exe
1336	mspaint.exe
1336	mspaint.exe
1336	mspaint.exe
1336	mspaint.exe
1700	mspaint.exe
1700	mspaint.exe
1700	mspaint.exe
1700	mspaint.exe
1676	mspaint.exe
1676	mspaint.exe
1676	mspaint.exe
1676	mspaint.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1044	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	28
PID 1616 wrote to memory of 1044	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	28
PID 1616 wrote to memory of 1044	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	28
PID 1616 wrote to memory of 1044	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	28
PID 1616 wrote to memory of 880	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	30
PID 1616 wrote to memory of 880	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	30
PID 1616 wrote to memory of 880	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	30
PID 1616 wrote to memory of 880	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	30
PID 1044 wrote to memory of 292	1044	cmd.exe	32
PID 1044 wrote to memory of 292	1044	cmd.exe	32
PID 1044 wrote to memory of 292	1044	cmd.exe	32
PID 1044 wrote to memory of 292	1044	cmd.exe	32
PID 880 wrote to memory of 620	880	cmd.exe	33
PID 880 wrote to memory of 620	880	cmd.exe	33
PID 880 wrote to memory of 620	880	cmd.exe	33
PID 880 wrote to memory of 620	880	cmd.exe	33
PID 1616 wrote to memory of 820	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	35
PID 1616 wrote to memory of 820	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	35
PID 1616 wrote to memory of 820	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	35
PID 1616 wrote to memory of 820	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	35
PID 292 wrote to memory of 1596	292	MPTIOI.exe	34
PID 292 wrote to memory of 1596	292	MPTIOI.exe	34
PID 292 wrote to memory of 1596	292	MPTIOI.exe	34
PID 292 wrote to memory of 1596	292	MPTIOI.exe	34
PID 620 wrote to memory of 944	620	CVLE.exe	36
PID 620 wrote to memory of 944	620	CVLE.exe	36
PID 620 wrote to memory of 944	620	CVLE.exe	36
PID 620 wrote to memory of 944	620	CVLE.exe	36
PID 944 wrote to memory of 1528	944	cmd.exe	40
PID 944 wrote to memory of 1528	944	cmd.exe	40
PID 944 wrote to memory of 1528	944	cmd.exe	40
PID 944 wrote to memory of 1528	944	cmd.exe	40
PID 1596 wrote to memory of 1748	1596	cmd.exe	41
PID 1596 wrote to memory of 1748	1596	cmd.exe	41
PID 1596 wrote to memory of 1748	1596	cmd.exe	41
PID 1596 wrote to memory of 1748	1596	cmd.exe	41
PID 820 wrote to memory of 676	820	cmd.exe	42
PID 820 wrote to memory of 676	820	cmd.exe	42
PID 820 wrote to memory of 676	820	cmd.exe	42
PID 820 wrote to memory of 676	820	cmd.exe	42
PID 292 wrote to memory of 1956	292	MPTIOI.exe	43
PID 292 wrote to memory of 1956	292	MPTIOI.exe	43
PID 292 wrote to memory of 1956	292	MPTIOI.exe	43
PID 292 wrote to memory of 1956	292	MPTIOI.exe	43
PID 620 wrote to memory of 1628	620	CVLE.exe	44
PID 620 wrote to memory of 1628	620	CVLE.exe	44
PID 620 wrote to memory of 1628	620	CVLE.exe	44
PID 620 wrote to memory of 1628	620	CVLE.exe	44
PID 1748 wrote to memory of 1336	1748	DDRPBBK.exe	45
PID 1748 wrote to memory of 1336	1748	DDRPBBK.exe	45
PID 1748 wrote to memory of 1336	1748	DDRPBBK.exe	45
PID 1748 wrote to memory of 1336	1748	DDRPBBK.exe	45
PID 1616 wrote to memory of 1700	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	47
PID 1616 wrote to memory of 1700	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	47
PID 1616 wrote to memory of 1700	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	47
PID 1616 wrote to memory of 1700	1616	f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe	47
PID 620 wrote to memory of 1676	620	CVLE.exe	48
PID 620 wrote to memory of 1676	620	CVLE.exe	48
PID 620 wrote to memory of 1676	620	CVLE.exe	48
PID 620 wrote to memory of 1676	620	CVLE.exe	48

C:\Users\Admin\AppData\Local\Temp\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe
"C:\Users\Admin\AppData\Local\Temp\f2fa24035bc999cf6343a6fd6b7f13782a31cf73085fc7c326c918d78edc8f8d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\MPTIOI.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\windows\system\MPTIOI.exe
    C:\windows\system\MPTIOI.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system\DDRPBBK.exe.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\windows\system\DDRPBBK.exe
        
        C:\windows\system\DDRPBBK.exe
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\mspaint.exe
        
        "C:\Windows\System32\mspaint.exe"
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1336
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\CVLE.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\windows\SysWOW64\CVLE.exe
    C:\windows\system32\CVLE.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system32\KNSAGKE.exe.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\windows\SysWOW64\KNSAGKE.exe
        
        C:\windows\system32\KNSAGKE.exe
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1528
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\SNHNXII.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\windows\SysWOW64\SNHNXII.exe
    C:\windows\system32\SNHNXII.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:676
- C:\Windows\SysWOW64\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CVLE.exe

Filesize
208KB

MD5
8a3792208636e83fbef2c9c9b547159a

SHA1
3764797a17a2ba2b3f02e7c76832cc85acaf4ecc

SHA256
d32c1f0da02c5d2bcc07d9511a5f4f6f7065ee7d9297adb2b0c71abf45aa02f8

SHA512
8827c55a88ba5c975e47d05b92aeca1bf7d6b31b865114ad05e6be8b75a73c614cab84caad4e61b12227b278fa65b7f81d8679a0627b639a0381fbf33799b79b

Download Submit
C:\Windows\SysWOW64\KNSAGKE.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\Windows\SysWOW64\SNHNXII.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\Windows\system\DDRPBBK.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\Windows\system\MPTIOI.exe

Filesize
208KB

MD5
42028f916a7a4439d3c3ff8afe6badbb

SHA1
908f5913f9ba25fd4f71865b3825f4f218612cfc

SHA256
e84aba88b86c5b6412de8f11f990e0463ac7691ebbbc9086a58e4d318848e972

SHA512
cd5e750cbd00b7b3e0edc73c198ef3bb2b445a3c47fb53cf3c93267bb790b2229642adbe18cf9a5d3c43c7a0a1e15ae01fcc79d4f106655dd2faac06c69edb97

Download Submit
C:\windows\SysWOW64\CVLE.exe

Filesize
208KB

MD5
8a3792208636e83fbef2c9c9b547159a

SHA1
3764797a17a2ba2b3f02e7c76832cc85acaf4ecc

SHA256
d32c1f0da02c5d2bcc07d9511a5f4f6f7065ee7d9297adb2b0c71abf45aa02f8

SHA512
8827c55a88ba5c975e47d05b92aeca1bf7d6b31b865114ad05e6be8b75a73c614cab84caad4e61b12227b278fa65b7f81d8679a0627b639a0381fbf33799b79b

Download Submit
C:\windows\SysWOW64\CVLE.exe.bat

Filesize
72B

MD5
fb4a26951b4b1cb267c303d3017bde73

SHA1
9450c0c6bdbb38e05d178555a797b3273979beff

SHA256
77b594bdbdb77d66ccebf0fbd9bf3facb02dece728464a8b3c8d4b050964d0b7

SHA512
92b8194d0395e586d80edeef4690383c7a9a58dbb1d6fb8e35863b63874d8280e2a704f65fcbb0e7a7b964b58599ac60162476c409252686f2f37d9c73125615

Download Submit
C:\windows\SysWOW64\KNSAGKE.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\windows\SysWOW64\KNSAGKE.exe.bat

Filesize
78B

MD5
a3b50561a38393029741d3d3b1564b28

SHA1
438013de801f72f7b29bfb754b336755033e248a

SHA256
a3463b5119c14a51fa456221c41f56cbf3868f1bc63d77762004e7f652e2860f

SHA512
b1231cfcdd3889456ca43aaa7d9dfc4d824d8540597aaef834c050e6c1c564db324dc503e42d336b59b0bd278f2ef95294f372f0ad9d1f6f1cf719ceac1c2181

Download Submit
C:\windows\SysWOW64\SNHNXII.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\windows\SysWOW64\SNHNXII.exe.bat

Filesize
78B

MD5
72a182ac554f3b1f8ff1eeb7a546a5d4

SHA1
37e09706f016851690f4c806cc4a59419a443ddf

SHA256
7745f02beb4f1d6752e2e3a258f0804174e67eee5aab93ef708fc94467fc19dd

SHA512
c7666f4aa3397e013bdca507086ee1972ac7a53099e4ecf906aba39b48e5bc94cff24f0e47249a70ef3bd5f821e9889c152bab596bc4efe6a202962f93374028

Download Submit
C:\windows\system\DDRPBBK.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
C:\windows\system\DDRPBBK.exe.bat

Filesize
74B

MD5
3731600817c0c18120e237f613d87708

SHA1
4540343871bca6efe68cd16371de41ced7c72ca7

SHA256
22be937ecb842c31f659bc643b4f4bddfe68e6f9ca4c86f4636265d38dbef322

SHA512
255669c5ed64399162d91f8ab45d5c7c25f0b21c37ee247a6b7458d41b152a46b4f9d0d5f91582c0c992ca34d636ed67949154c16b0995f4d4f7613a5ac7b01d

Download Submit
C:\windows\system\MPTIOI.exe

Filesize
208KB

MD5
42028f916a7a4439d3c3ff8afe6badbb

SHA1
908f5913f9ba25fd4f71865b3825f4f218612cfc

SHA256
e84aba88b86c5b6412de8f11f990e0463ac7691ebbbc9086a58e4d318848e972

SHA512
cd5e750cbd00b7b3e0edc73c198ef3bb2b445a3c47fb53cf3c93267bb790b2229642adbe18cf9a5d3c43c7a0a1e15ae01fcc79d4f106655dd2faac06c69edb97

Download Submit
C:\windows\system\MPTIOI.exe.bat

Filesize
72B

MD5
eda2ba1e4ad292918cbe7a03ad0a1b8e

SHA1
bbde0262808c756edfb8ea95f7556f90999dea48

SHA256
7f2800fb05729737c7cb2c8f39f5ed1d0f91a944eab62d1ac1f203f36fbad539

SHA512
d9636bb1f57ee25b022b77b025f9c86ce0ee1a642d05cf5892d5fc727b1840e82d40e5726e4ee37e5a4eeb3e9ae3a403e6ddf6cfe190be7b92866cc8f7069214

Download Submit
\Windows\SysWOW64\CVLE.exe

Filesize
208KB

MD5
8a3792208636e83fbef2c9c9b547159a

SHA1
3764797a17a2ba2b3f02e7c76832cc85acaf4ecc

SHA256
d32c1f0da02c5d2bcc07d9511a5f4f6f7065ee7d9297adb2b0c71abf45aa02f8

SHA512
8827c55a88ba5c975e47d05b92aeca1bf7d6b31b865114ad05e6be8b75a73c614cab84caad4e61b12227b278fa65b7f81d8679a0627b639a0381fbf33799b79b

Download Submit
\Windows\SysWOW64\CVLE.exe

Filesize
208KB

MD5
8a3792208636e83fbef2c9c9b547159a

SHA1
3764797a17a2ba2b3f02e7c76832cc85acaf4ecc

SHA256
d32c1f0da02c5d2bcc07d9511a5f4f6f7065ee7d9297adb2b0c71abf45aa02f8

SHA512
8827c55a88ba5c975e47d05b92aeca1bf7d6b31b865114ad05e6be8b75a73c614cab84caad4e61b12227b278fa65b7f81d8679a0627b639a0381fbf33799b79b

Download Submit
\Windows\SysWOW64\KNSAGKE.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\SysWOW64\KNSAGKE.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\SysWOW64\SNHNXII.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\SysWOW64\SNHNXII.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\system\DDRPBBK.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\system\DDRPBBK.exe

Filesize
208KB

MD5
22bbedd325c927363111fdada3c33a16

SHA1
f4fee03d1481fe65dd09991dc0f51419c7651ab2

SHA256
c83e7358e5aeddf812ad114f19e08eda8092ec987874ac879b1e2b090a16b04b

SHA512
402da83aa73a5d296d6d9963a909861515d4a2be1905e5c503e611039d5145e0db37818b4e7df6a7ce1f14447bb847584fd932e881cfd7d843a5ba6d80217e23

Download Submit
\Windows\system\MPTIOI.exe

Filesize
208KB

MD5
42028f916a7a4439d3c3ff8afe6badbb

SHA1
908f5913f9ba25fd4f71865b3825f4f218612cfc

SHA256
e84aba88b86c5b6412de8f11f990e0463ac7691ebbbc9086a58e4d318848e972

SHA512
cd5e750cbd00b7b3e0edc73c198ef3bb2b445a3c47fb53cf3c93267bb790b2229642adbe18cf9a5d3c43c7a0a1e15ae01fcc79d4f106655dd2faac06c69edb97

Download Submit
\Windows\system\MPTIOI.exe

Filesize
208KB

MD5
42028f916a7a4439d3c3ff8afe6badbb

SHA1
908f5913f9ba25fd4f71865b3825f4f218612cfc

SHA256
e84aba88b86c5b6412de8f11f990e0463ac7691ebbbc9086a58e4d318848e972

SHA512
cd5e750cbd00b7b3e0edc73c198ef3bb2b445a3c47fb53cf3c93267bb790b2229642adbe18cf9a5d3c43c7a0a1e15ae01fcc79d4f106655dd2faac06c69edb97

Download Submit
memory/292-114-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/292-98-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-99-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/620-115-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/676-116-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/676-100-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1336-107-0x0000000000131000-0x0000000000133000-memory.dmp

Filesize
8KB

Download
memory/1528-96-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1616-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1616-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1616-111-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1748-97-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download