ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28

Analysis

max time kernel
273s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
Size

585KB
MD5

28e41b880c6c6a3694968d349e165ddb
SHA1

b870581c5297030bea576016e5c14182890e61c0
SHA256

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28
SHA512

7fce1f850483d83b886757a8967240b78a8b1e133a62f74ae5b603ac11e17043690c634a51236d70cf73379c8bce93e5af2b4ebcd362e3f1589850417547d275
SSDEEP

12288:APLpdAd2AvcFQoV14NmFZn3Zugh4mYyvzApwaniZ6iXWVDnvbVjl4:ApdcSJ4wFZJughpaliEMWV7Jja

Score

10^/10

collection evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1820-137-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1820-139-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1820-140-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2512-144-0x0000000000580000-0x00000000005D9000-memory.dmp	WebBrowserPassView
behavioral2/memory/5052-168-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/5052-178-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView
behavioral2/memory/5052-179-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1820-137-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1820-139-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1820-140-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2512-144-0x0000000000580000-0x00000000005D9000-memory.dmp	Nirsoft
behavioral2/memory/5052-168-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/5052-178-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/5052-179-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AppMgnt.exehknswc.exehknswc.exehknswc.exeAppMgnt.exe

pid process

2180 AppMgnt.exe
4720 hknswc.exe
4892 hknswc.exe
5052 hknswc.exe
4848 AppMgnt.exe

pid	process
2180	AppMgnt.exe
4720	hknswc.exe
4892	hknswc.exe
5052	hknswc.exe
4848	AppMgnt.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	hknswc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	AppMgnt.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exead03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exehknswc.exehknswc.exe

description	pid	process	target process
PID 4708 set thread context of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 set thread context of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 set thread context of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4720 set thread context of 4892	4720	hknswc.exe	hknswc.exe
PID 4892 set thread context of 5052	4892	hknswc.exe	hknswc.exe

Drops file in Windows directory 3 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
File opened for modification	C:\Windows\assembly	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

632 schtasks.exe
3280 schtasks.exe

pid	process
632	schtasks.exe
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exeAppMgnt.exehknswc.exeAppMgnt.exe

pid	process
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
2180	AppMgnt.exe
2180	AppMgnt.exe
4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4848	AppMgnt.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4848	AppMgnt.exe
4720	hknswc.exe
4848	AppMgnt.exe
4720	hknswc.exe
4720	hknswc.exe
4848	AppMgnt.exe
4848	AppMgnt.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exead03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exeAppMgnt.exehknswc.exehknswc.exeAppMgnt.exe

description	pid	process
Token: SeDebugPrivilege	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
Token: SeDebugPrivilege	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
Token: SeDebugPrivilege	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
Token: SeDebugPrivilege	2180	AppMgnt.exe
Token: SeDebugPrivilege	4720	hknswc.exe
Token: SeDebugPrivilege	4892	hknswc.exe
Token: SeDebugPrivilege	4848	AppMgnt.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exead03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exeAppMgnt.exehknswc.exehknswc.exeAppMgnt.exe

description	pid	process	target process
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 4768	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 1820	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4768 wrote to memory of 2512	4768	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
PID 4708 wrote to memory of 2180	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	AppMgnt.exe
PID 4708 wrote to memory of 2180	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	AppMgnt.exe
PID 4708 wrote to memory of 2180	4708	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe	AppMgnt.exe
PID 2180 wrote to memory of 632	2180	AppMgnt.exe	schtasks.exe
PID 2180 wrote to memory of 632	2180	AppMgnt.exe	schtasks.exe
PID 2180 wrote to memory of 632	2180	AppMgnt.exe	schtasks.exe
PID 2180 wrote to memory of 4720	2180	AppMgnt.exe	hknswc.exe
PID 2180 wrote to memory of 4720	2180	AppMgnt.exe	hknswc.exe
PID 2180 wrote to memory of 4720	2180	AppMgnt.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4892	4720	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4892 wrote to memory of 5052	4892	hknswc.exe	hknswc.exe
PID 4720 wrote to memory of 4848	4720	hknswc.exe	AppMgnt.exe
PID 4720 wrote to memory of 4848	4720	hknswc.exe	AppMgnt.exe
PID 4720 wrote to memory of 4848	4720	hknswc.exe	AppMgnt.exe
PID 4848 wrote to memory of 3280	4848	AppMgnt.exe	schtasks.exe
PID 4848 wrote to memory of 3280	4848	AppMgnt.exe	schtasks.exe
PID 4848 wrote to memory of 3280	4848	AppMgnt.exe	schtasks.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe

C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
"C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4708

C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
"C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
"C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe" /stext C:\ProgramData\Mails.txt
3⤵
- Accesses Microsoft Outlook accounts
PID:1820

C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe
"C:\Users\Admin\AppData\Local\Temp\ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28.exe" /stext C:\ProgramData\Browsers.txt
3⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:632

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe" /stext C:\ProgramData\Browsers.txt
5⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:3280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.log
Filesize
404B

MD5
fcc802ed7e1aa47a9e0ba0420dac1632

SHA1
f7a7b06f14790b2e33a66fa6c318f940a6637786

SHA256
676475b51aec5bc3cbd324aca7091e8e63465b0cc77d85a02db484754c4fa7e1

SHA512
df8e129fb26cc87e3f76f69c7bf142116762cfe0377599f353cb2230a3ad992ad358ddba2c46a02e1bb14e4054f3df19b028a6a44699584f2a7f9f4c53092c43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
9KB

MD5
377b246a502bff19611c046bc4b9528a

SHA1
c33004ffce509610657ee50a942fbac7c085487e

SHA256
a82131e63d829ab1a4c284069a707a25aba0c0f5f372e5e70a3d824db6b19648

SHA512
9794a02ef553adf0ec48566c25abf6d327040476155102a4e934984c0529fd9e6b85b019756a166d5490aad9eb03dfd65144be590717430e9102a907158d81d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
585KB

MD5
28e41b880c6c6a3694968d349e165ddb

SHA1
b870581c5297030bea576016e5c14182890e61c0

SHA256
ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28

SHA512
7fce1f850483d83b886757a8967240b78a8b1e133a62f74ae5b603ac11e17043690c634a51236d70cf73379c8bce93e5af2b4ebcd362e3f1589850417547d275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
585KB

MD5
28e41b880c6c6a3694968d349e165ddb

SHA1
b870581c5297030bea576016e5c14182890e61c0

SHA256
ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28

SHA512
7fce1f850483d83b886757a8967240b78a8b1e133a62f74ae5b603ac11e17043690c634a51236d70cf73379c8bce93e5af2b4ebcd362e3f1589850417547d275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
585KB

MD5
28e41b880c6c6a3694968d349e165ddb

SHA1
b870581c5297030bea576016e5c14182890e61c0

SHA256
ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28

SHA512
7fce1f850483d83b886757a8967240b78a8b1e133a62f74ae5b603ac11e17043690c634a51236d70cf73379c8bce93e5af2b4ebcd362e3f1589850417547d275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
585KB

MD5
28e41b880c6c6a3694968d349e165ddb

SHA1
b870581c5297030bea576016e5c14182890e61c0

SHA256
ad03f5989eb133644bf447cfdcc2884cea36ad61781e11a21507cc6c0ace1e28

SHA512
7fce1f850483d83b886757a8967240b78a8b1e133a62f74ae5b603ac11e17043690c634a51236d70cf73379c8bce93e5af2b4ebcd362e3f1589850417547d275

Download Submit
memory/632-153-0x0000000000000000-mapping.dmp

Download
memory/1820-139-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1820-136-0x0000000000000000-mapping.dmp

Download
memory/1820-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-152-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2180-148-0x0000000000000000-mapping.dmp

Download
memory/2180-157-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2180-159-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/2512-142-0x0000000000000000-mapping.dmp

Download
memory/2512-144-0x0000000000580000-0x00000000005D9000-memory.dmp

Filesize
356KB

Download
memory/3280-173-0x0000000000000000-mapping.dmp

Download
memory/4708-160-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-132-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4708-133-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-156-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-158-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4720-154-0x0000000000000000-mapping.dmp

Download
memory/4768-134-0x0000000000000000-mapping.dmp

Download
memory/4768-147-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-141-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4848-177-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4848-175-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4848-169-0x0000000000000000-mapping.dmp

Download
memory/4892-176-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4892-174-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4892-161-0x0000000000000000-mapping.dmp

Download
memory/5052-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5052-164-0x0000000000000000-mapping.dmp

Download
memory/5052-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5052-179-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download