bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

Analysis

max time kernel
187s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Size

285KB
MD5

6aeb6f5ba1e1ac048b9e077e126c3dba
SHA1

a8334a547ac9e32771fe518c9b98167dfd459f66
SHA256

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f
SHA512

31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6
SSDEEP

6144:cldvE2Qugh1/Cdh95IAWq5P47Vpn5JOkf4bEm/z2RbOy:clwwXIAWqqTNf4vBy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Executes dropped EXE 5 IoCs

Processes:

dllnh.exedllnh.exedllnh.exedllnh.exedllnh.exe

pid process

1596 dllnh.exe
1080 dllnh.exe
1900 dllnh.exe
1144 dllnh.exe
1712 dllnh.exe

pid	process
1596	dllnh.exe
1080	dllnh.exe
1900	dllnh.exe
1144	dllnh.exe
1712	dllnh.exe

Loads dropped DLL 2 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

pid	process
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exeWScript.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Systnh = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe\""	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Drops file in System32 directory 1 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description ioc process

File created C:\Windows\SysWOW64\clientsvr.exe bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientsvr.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exedllnh.exe

description	pid	process	target process
PID 996 set thread context of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 set thread context of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1596 set thread context of 1080	1596	dllnh.exe	dllnh.exe
PID 1080 set thread context of 1712	1080	dllnh.exe	dllnh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exedllnh.exe

pid	process
1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
1596	dllnh.exe
1080	dllnh.exe
1080	dllnh.exe
1080	dllnh.exe
1080	dllnh.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exe

description	pid	process
Token: SeDebugPrivilege	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	1596	dllnh.exe
Token: SeDebugPrivilege	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
Token: SeDebugPrivilege	1080	dllnh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

pid process

1660 bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exeexplorer.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exeexplorer.exebfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exedllnh.exeexplorer.exe

description	pid	process	target process
PID 996 wrote to memory of 2040	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 996 wrote to memory of 2040	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 996 wrote to memory of 2040	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 996 wrote to memory of 2040	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1944 wrote to memory of 268	1944	explorer.exe	WScript.exe
PID 1944 wrote to memory of 268	1944	explorer.exe	WScript.exe
PID 1944 wrote to memory of 268	1944	explorer.exe	WScript.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 996 wrote to memory of 1996	996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1248	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1996 wrote to memory of 1248	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1996 wrote to memory of 1248	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1996 wrote to memory of 1248	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	explorer.exe
PID 1996 wrote to memory of 1280	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1280	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1280	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1280	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 952	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 952	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 952	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 952	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1996 wrote to memory of 1660	1996	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
PID 1916 wrote to memory of 1480	1916	explorer.exe	WScript.exe
PID 1916 wrote to memory of 1480	1916	explorer.exe	WScript.exe
PID 1916 wrote to memory of 1480	1916	explorer.exe	WScript.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1596 wrote to memory of 1508	1596	dllnh.exe	explorer.exe
PID 1596 wrote to memory of 1508	1596	dllnh.exe	explorer.exe
PID 1596 wrote to memory of 1508	1596	dllnh.exe	explorer.exe
PID 1596 wrote to memory of 1508	1596	dllnh.exe	explorer.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 1596 wrote to memory of 1080	1596	dllnh.exe	dllnh.exe
PID 300 wrote to memory of 1428	300	explorer.exe	WScript.exe
PID 300 wrote to memory of 1428	300	explorer.exe	WScript.exe
PID 300 wrote to memory of 1428	300	explorer.exe	WScript.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe
PID 1660 wrote to memory of 1596	1660	bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe	dllnh.exe

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\vbUyS.vbs
2⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
3⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
3⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe
"C:\Users\Admin\AppData\Local\Temp\bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\ProgramData\238285\dllnh.exe
"C:\ProgramData\238285\dllnh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\vbUyS.vbs
5⤵
PID:1508

C:\ProgramData\238285\dllnh.exe
"C:\ProgramData\238285\dllnh.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
6⤵
PID:1880

C:\ProgramData\238285\dllnh.exe
"C:\ProgramData\238285\dllnh.exe"
6⤵
- Executes dropped EXE
PID:1900

C:\ProgramData\238285\dllnh.exe
"C:\ProgramData\238285\dllnh.exe"
6⤵
- Executes dropped EXE
PID:1144

C:\ProgramData\238285\dllnh.exe
"C:\ProgramData\238285\dllnh.exe"
6⤵
- Executes dropped EXE
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbUyS.vbs"
2⤵
- Adds Run key to start application
PID:268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs"
2⤵
- Adds Run key to start application
PID:1480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbUyS.vbs"
2⤵
- Adds Run key to start application
PID:1428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs"
2⤵
- Adds Run key to start application
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Utilizer.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
Filesize
530B

MD5
fc7ba9442be72889da4f0b67adaf41e1

SHA1
a2a15e75e451735cc07a4d07a8c12e4f29a56f4f

SHA256
7e0155d43a50bfc00c3d4241d2f1715a65665153d1130fb4347bcf4db49212fd

SHA512
b56d7f80602f83b6c4e1feba07141c9efc0128bdcf7cef172abc532dc3491df02b524f35652b4aeb86cbd7260fd4a45026fec4e6cc46036ec5d4abd9baf3179c

Download Submit
C:\Users\Admin\AppData\Roaming\uDjYdlSZP.vbs
Filesize
601B

MD5
b148ec19b8c17a86efc29fda32838475

SHA1
d7996849af0d5f644f97d30e88143757b5c01a1a

SHA256
7bfb713dad544c1947719e22f9baf7e499af336125d39f94c8c57bc49daf6fad

SHA512
ff6eab3155e5323c0e56286dca7545bf8f79d8c839ded3a67730e8b74bbd1b5e6728bb4cdd8cd3ef2aa9138a127cfea16df0df492cd18e456af03735e3ace1db

Download Submit
C:\Users\Admin\AppData\Roaming\vbUyS.vbs
Filesize
530B

MD5
fc7ba9442be72889da4f0b67adaf41e1

SHA1
a2a15e75e451735cc07a4d07a8c12e4f29a56f4f

SHA256
7e0155d43a50bfc00c3d4241d2f1715a65665153d1130fb4347bcf4db49212fd

SHA512
b56d7f80602f83b6c4e1feba07141c9efc0128bdcf7cef172abc532dc3491df02b524f35652b4aeb86cbd7260fd4a45026fec4e6cc46036ec5d4abd9baf3179c

Download Submit
C:\Users\Admin\AppData\Roaming\vbUyS.vbs
Filesize
601B

MD5
b148ec19b8c17a86efc29fda32838475

SHA1
d7996849af0d5f644f97d30e88143757b5c01a1a

SHA256
7bfb713dad544c1947719e22f9baf7e499af336125d39f94c8c57bc49daf6fad

SHA512
ff6eab3155e5323c0e56286dca7545bf8f79d8c839ded3a67730e8b74bbd1b5e6728bb4cdd8cd3ef2aa9138a127cfea16df0df492cd18e456af03735e3ace1db

Download Submit
\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
\ProgramData\238285\dllnh.exe
Filesize
285KB

MD5
6aeb6f5ba1e1ac048b9e077e126c3dba

SHA1
a8334a547ac9e32771fe518c9b98167dfd459f66

SHA256
bfcfbe03c2529c12178bd3821468a4f38696a2b571cdab8c8db7066f7317ad5f

SHA512
31b1c718c786959e9f94642f353a1badbdc33059d0f0bdcfeeb3102a7b83ae551848eddc2e79c928a56fb98be9effe63c51af706bd18451d23c56786fe3100c6

Download Submit
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/996-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/996-56-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/996-55-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-122-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-114-0x0000000000445CEE-mapping.dmp

Download
memory/1080-148-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-146-0x0000000000000000-mapping.dmp

Download
memory/1248-78-0x0000000072421000-0x0000000072423000-memory.dmp

Filesize
8KB

Download
memory/1248-76-0x0000000000000000-mapping.dmp

Download
memory/1428-124-0x0000000000000000-mapping.dmp

Download
memory/1480-93-0x0000000000000000-mapping.dmp

Download
memory/1508-108-0x00000000722F1000-0x00000000722F3000-memory.dmp

Filesize
8KB

Download
memory/1508-105-0x0000000000000000-mapping.dmp

Download
memory/1596-103-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1596-99-0x0000000000000000-mapping.dmp

Download
memory/1596-125-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-95-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-90-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1660-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1660-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1660-85-0x000000000045CF0E-mapping.dmp

Download
memory/1660-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1660-104-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-80-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1660-79-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1712-147-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-137-0x000000000045CF0E-mapping.dmp

Download
memory/1880-126-0x0000000000000000-mapping.dmp

Download
memory/1880-129-0x0000000071C41000-0x0000000071C43000-memory.dmp

Filesize
8KB

Download
memory/1944-63-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/1996-68-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-69-0x0000000000445CEE-mapping.dmp

Download
memory/1996-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-94-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-73-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-75-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-59-0x0000000072591000-0x0000000072593000-memory.dmp

Filesize
8KB

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download