14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
Size

596KB
MD5

8b9cea8590ed25966ec2c45f9d923a46
SHA1

9ef5ae95749239e4f3eaf142a3ff0b8eed291320
SHA256

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931
SHA512

bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9
SSDEEP

12288:MkIG6J6tqhOb4PvlxNavuBRaNX1T1sAIsKf4lFn9n/eJyrvWFTUWBOAYIe:VIG7qTav08BCf49mJy1W3e

Score

10^/10

collection evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3404-137-0x00000000005A0000-0x00000000005BB000-memory.dmp	MailPassView
behavioral2/memory/3044-160-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3044-163-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3816-166-0x0000000000500000-0x0000000000559000-memory.dmp	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3404-137-0x00000000005A0000-0x00000000005BB000-memory.dmp	Nirsoft
behavioral2/memory/3044-160-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3044-163-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3816-166-0x0000000000500000-0x0000000000559000-memory.dmp	Nirsoft

Executes dropped EXE 6 IoCs

Processes:

AppMgmt.exehkmsvc.exehkmsvc.exehkmsvc.exeAppMgmt.exehkmsvc.exe

pid process

5048 AppMgmt.exe
3472 hkmsvc.exe
3424 hkmsvc.exe
3044 hkmsvc.exe
1384 AppMgmt.exe
3648 hkmsvc.exe

pid	process
5048	AppMgmt.exe
3472	hkmsvc.exe
3424	hkmsvc.exe
3044	hkmsvc.exe
1384	AppMgmt.exe
3648	hkmsvc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exeAppMgmt.exehkmsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AppMgmt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	hkmsvc.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

hkmsvc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	hkmsvc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exehkmsvc.exehkmsvc.exe

description	pid	process	target process
PID 3080 set thread context of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 set thread context of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3472 set thread context of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3424 set thread context of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 4896 set thread context of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3424 set thread context of 3648	3424	hkmsvc.exe	hkmsvc.exe

Drops file in Windows directory 3 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
File created	C:\Windows\assembly\Desktop.ini	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exeAppMgmt.exehkmsvc.exe

pid	process
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
5048	AppMgmt.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe
3472	hkmsvc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exeAppMgmt.exehkmsvc.exehkmsvc.exeAppMgmt.exe

description	pid	process
Token: SeDebugPrivilege	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
Token: SeDebugPrivilege	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
Token: SeDebugPrivilege	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
Token: SeDebugPrivilege	5048	AppMgmt.exe
Token: SeDebugPrivilege	3472	hkmsvc.exe
Token: SeDebugPrivilege	3424	hkmsvc.exe
Token: SeDebugPrivilege	1384	AppMgmt.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exeAppMgmt.exehkmsvc.exehkmsvc.exe

description	pid	process	target process
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 4896	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3404	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3080 wrote to memory of 5048	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	AppMgmt.exe
PID 3080 wrote to memory of 5048	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	AppMgmt.exe
PID 3080 wrote to memory of 5048	3080	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	AppMgmt.exe
PID 5048 wrote to memory of 3472	5048	AppMgmt.exe	hkmsvc.exe
PID 5048 wrote to memory of 3472	5048	AppMgmt.exe	hkmsvc.exe
PID 5048 wrote to memory of 3472	5048	AppMgmt.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 3424	3472	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3044	3424	hkmsvc.exe	hkmsvc.exe
PID 3472 wrote to memory of 1384	3472	hkmsvc.exe	AppMgmt.exe
PID 3472 wrote to memory of 1384	3472	hkmsvc.exe	AppMgmt.exe
PID 3472 wrote to memory of 1384	3472	hkmsvc.exe	AppMgmt.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 4896 wrote to memory of 3816	4896	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe
PID 3424 wrote to memory of 3648	3424	hkmsvc.exe	hkmsvc.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe

C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
"C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3080
- C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
  "C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
    "C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe" /stext C:\ProgramData\Mails.txt
    3⤵
    PID:3404
- - C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe
    "C:\Users\Admin\AppData\Local\Temp\14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931.exe" /stext C:\ProgramData\Browsers.txt
    3⤵
    PID:3816
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe" /stext C:\ProgramData\Mails.txt
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:3044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe" /stext C:\ProgramData\Browsers.txt
        5⤵
        Executes dropped EXE
        
        PID:3648
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgmt.exe.log

Filesize
404B

MD5
15b6596d028baa2a113143d1828bcc36

SHA1
f1be43126c4e765fe499718c388823d44bf1fef1

SHA256
529f9fde2234067382b4c6fb8e5aee49d8a8b1b85c82b0bdae425fa2a0264f75

SHA512
f2a6cb8498f596c7bf9178ea32a245dbb3657f43a179f378ce952ce5cb8580810cd67ef1efb623bcf6cd796d74e2c9b7bc42cb8665ead397546ce3b400181e83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe

Filesize
18KB

MD5
679838bb0e4719d456eac27d910c847e

SHA1
f672d7f7122e534e0a1677394557f2046ea4d023

SHA256
80f386aa403568f5a523c5e6d776e16dcf337350874875152ec9a5259e755158

SHA512
9a7e0e8b0a143b7659ab17cad11ccb6f362052acbedbca98832c5f719fe7a9157a3c92bf39d0a55c45205c646d9c0458a6666b01992ca5a2b755ca0a80fb9d85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe

Filesize
18KB

MD5
679838bb0e4719d456eac27d910c847e

SHA1
f672d7f7122e534e0a1677394557f2046ea4d023

SHA256
80f386aa403568f5a523c5e6d776e16dcf337350874875152ec9a5259e755158

SHA512
9a7e0e8b0a143b7659ab17cad11ccb6f362052acbedbca98832c5f719fe7a9157a3c92bf39d0a55c45205c646d9c0458a6666b01992ca5a2b755ca0a80fb9d85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe

Filesize
18KB

MD5
679838bb0e4719d456eac27d910c847e

SHA1
f672d7f7122e534e0a1677394557f2046ea4d023

SHA256
80f386aa403568f5a523c5e6d776e16dcf337350874875152ec9a5259e755158

SHA512
9a7e0e8b0a143b7659ab17cad11ccb6f362052acbedbca98832c5f719fe7a9157a3c92bf39d0a55c45205c646d9c0458a6666b01992ca5a2b755ca0a80fb9d85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe

Filesize
18KB

MD5
679838bb0e4719d456eac27d910c847e

SHA1
f672d7f7122e534e0a1677394557f2046ea4d023

SHA256
80f386aa403568f5a523c5e6d776e16dcf337350874875152ec9a5259e755158

SHA512
9a7e0e8b0a143b7659ab17cad11ccb6f362052acbedbca98832c5f719fe7a9157a3c92bf39d0a55c45205c646d9c0458a6666b01992ca5a2b755ca0a80fb9d85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe

Filesize
596KB

MD5
8b9cea8590ed25966ec2c45f9d923a46

SHA1
9ef5ae95749239e4f3eaf142a3ff0b8eed291320

SHA256
14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

SHA512
bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe

Filesize
596KB

MD5
8b9cea8590ed25966ec2c45f9d923a46

SHA1
9ef5ae95749239e4f3eaf142a3ff0b8eed291320

SHA256
14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

SHA512
bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe

Filesize
596KB

MD5
8b9cea8590ed25966ec2c45f9d923a46

SHA1
9ef5ae95749239e4f3eaf142a3ff0b8eed291320

SHA256
14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

SHA512
bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe

Filesize
596KB

MD5
8b9cea8590ed25966ec2c45f9d923a46

SHA1
9ef5ae95749239e4f3eaf142a3ff0b8eed291320

SHA256
14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

SHA512
bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe

Filesize
596KB

MD5
8b9cea8590ed25966ec2c45f9d923a46

SHA1
9ef5ae95749239e4f3eaf142a3ff0b8eed291320

SHA256
14aecd45fb908687ddedf6aa14424e3a8428e7ef1c7e28cb25291507d2b0f931

SHA512
bc7cf5cc8d46ed2d5f574f7b633d1fbfe4d65de74f48a5dfa702b323a6719978de80cdb3f78f0c4790ef1793c7e06dc5fe8897b283c0898d0eeb6d662a7111f9

Download Submit
memory/1384-170-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1384-158-0x0000000000000000-mapping.dmp

Download
memory/1384-180-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3044-154-0x0000000000000000-mapping.dmp

Download
memory/3044-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-160-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3080-148-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3080-132-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3404-135-0x0000000000000000-mapping.dmp

Download
memory/3404-137-0x00000000005A0000-0x00000000005BB000-memory.dmp

Filesize
108KB

Download
memory/3424-169-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3424-151-0x0000000000000000-mapping.dmp

Download
memory/3424-179-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3472-146-0x0000000000000000-mapping.dmp

Download
memory/3472-178-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3472-150-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/3648-171-0x0000000000000000-mapping.dmp

Download
memory/3816-166-0x0000000000500000-0x0000000000559000-memory.dmp

Filesize
356KB

Download
memory/3816-164-0x0000000000000000-mapping.dmp

Download
memory/4896-177-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4896-140-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4896-134-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4896-133-0x0000000000000000-mapping.dmp

Download
memory/5048-149-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5048-144-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/5048-141-0x0000000000000000-mapping.dmp

Download