Analysis
-
max time kernel
245s -
max time network
249s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 17:28
Static task
static1
Behavioral task
behavioral1
Sample
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe
Resource
win7-20220812-en
General
-
Target
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe
-
Size
4.7MB
-
MD5
fb69931a9d6a62ef32fc98b6131103cc
-
SHA1
376f89c2b2ef1a8870845e0bd0b21ea80803365b
-
SHA256
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
SHA512
a2add386060428908a93af759610095f90bc136242248a63a54846f0253e8ee1eea491d6e7b25a13714f1eb8509620913e167da61b30b9e05592275624497851
-
SSDEEP
98304:un4FkxwWUGoRgnQxFa4fdyqMTRd43GJb03+5cJsCzc:u4FkbUGoRZxF/yFMWJ0/zc
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3624-179-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/3624-187-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4704-193-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4704-190-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/3624-176-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4704-209-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4404-214-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4404-218-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 20 IoCs
Processes:
resource yara_rule behavioral2/memory/4548-156-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/4548-157-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/4548-159-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/1372-174-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/3624-179-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/3624-187-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1620-192-0x0000000010000000-0x0000000010018000-memory.dmp family_gh0strat behavioral2/memory/4704-193-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4704-190-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1372-183-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/3624-176-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1372-170-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/728-202-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/728-206-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/4704-209-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/728-204-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/4404-214-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4548-216-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/1372-217-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral2/memory/4404-218-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Jkcde.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Jkcde.exe -
Executes dropped EXE 15 IoCs
Processes:
»¥ÁªÐÒéÈ¡guid.exedwm.exesvchost.exe_��Э����GUID.exewininit.execsrss.exesvchost.exebgvdci.execsrss.exewinlogon.exebgvdci.exeJkcde.exesvchost.exeJkcde.exesvchost.exepid process 220 »¥ÁªÐÒéÈ¡guid.exe 4584 dwm.exe 1488 svchost.exe 3896 _��Э����GUID.exe 4548 wininit.exe 4236 csrss.exe 1372 svchost.exe 4284 bgvdci.exe 3624 csrss.exe 1620 winlogon.exe 4420 bgvdci.exe 4704 Jkcde.exe 728 svchost.exe 4404 Jkcde.exe 3012 svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Jkcde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jkcde.exe -
Processes:
resource yara_rule behavioral2/memory/3624-169-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/3624-179-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4704-186-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/3624-187-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4704-193-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4704-190-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/3624-176-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4704-209-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4404-214-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4404-218-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
»¥ÁªÐÒéÈ¡guid.exedwm.execsrss.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation »¥ÁªÐÒéÈ¡guid.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation dwm.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation csrss.exe -
Loads dropped DLL 1 IoCs
Processes:
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exepid process 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlogon.exe" winlogon.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winlogon.exeJkcde.exedescription ioc process File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\G: Jkcde.exe File opened (read-only) \??\K: Jkcde.exe File opened (read-only) \??\W: Jkcde.exe File opened (read-only) \??\X: Jkcde.exe File opened (read-only) \??\Y: Jkcde.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\M: Jkcde.exe File opened (read-only) \??\T: Jkcde.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\H: Jkcde.exe File opened (read-only) \??\Q: Jkcde.exe File opened (read-only) \??\V: Jkcde.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\B: Jkcde.exe File opened (read-only) \??\I: Jkcde.exe File opened (read-only) \??\L: Jkcde.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\U: Jkcde.exe File opened (read-only) \??\R: Jkcde.exe File opened (read-only) \??\S: Jkcde.exe File opened (read-only) \??\Z: Jkcde.exe File opened (read-only) \??\J: Jkcde.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\E: Jkcde.exe File opened (read-only) \??\N: Jkcde.exe File opened (read-only) \??\O: Jkcde.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\F: Jkcde.exe File opened (read-only) \??\P: Jkcde.exe File opened (read-only) \??\H: winlogon.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
csrss.exedescription ioc process File created C:\Windows\SysWOW64\Jkcde.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Jkcde.exe csrss.exe -
Drops file in Windows directory 4 IoCs
Processes:
svchost.exewininit.exedescription ioc process File created C:\Windows\bgvdci.exe svchost.exe File opened for modification C:\Windows\bgvdci.exe svchost.exe File created C:\WINDOWS\svchost.exe wininit.exe File opened for modification C:\WINDOWS\svchost.exe wininit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winlogon.exeJkcde.exewininit.exebgvdci.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jkcde.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jkcde.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wininit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wininit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bgvdci.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz bgvdci.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
bgvdci.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum bgvdci.exe Key created \REGISTRY\USER\.DEFAULT\Software bgvdci.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft bgvdci.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie bgvdci.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" bgvdci.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wininit.exesvchost.exewinlogon.exebgvdci.exepid process 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 4548 wininit.exe 728 svchost.exe 728 svchost.exe 728 svchost.exe 728 svchost.exe 1620 winlogon.exe 1620 winlogon.exe 4420 bgvdci.exe 4420 bgvdci.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Jkcde.exepid process 4404 Jkcde.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
csrss.exeJkcde.exedescription pid process Token: SeIncBasePriorityPrivilege 3624 csrss.exe Token: SeLoadDriverPrivilege 4404 Jkcde.exe Token: 33 4404 Jkcde.exe Token: SeIncBasePriorityPrivilege 4404 Jkcde.exe Token: 33 4404 Jkcde.exe Token: SeIncBasePriorityPrivilege 4404 Jkcde.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
svchost.exe_������GUID.exewininit.exesvchost.exebgvdci.exebgvdci.exesvchost.exepid process 1488 svchost.exe 3896 _������GUID.exe 3896 _������GUID.exe 4548 wininit.exe 1372 svchost.exe 4284 bgvdci.exe 4420 bgvdci.exe 728 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe»¥ÁªÐÒéÈ¡guid.exedwm.execsrss.exebgvdci.exesvchost.execsrss.exeJkcde.execmd.exedescription pid process target process PID 4936 wrote to memory of 220 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 4936 wrote to memory of 220 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 4936 wrote to memory of 220 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 220 wrote to memory of 4584 220 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 220 wrote to memory of 4584 220 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 220 wrote to memory of 4584 220 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 4584 wrote to memory of 1488 4584 dwm.exe svchost.exe PID 4584 wrote to memory of 1488 4584 dwm.exe svchost.exe PID 4584 wrote to memory of 1488 4584 dwm.exe svchost.exe PID 220 wrote to memory of 3896 220 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 220 wrote to memory of 3896 220 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 220 wrote to memory of 3896 220 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 4584 wrote to memory of 4548 4584 dwm.exe wininit.exe PID 4584 wrote to memory of 4548 4584 dwm.exe wininit.exe PID 4584 wrote to memory of 4548 4584 dwm.exe wininit.exe PID 4936 wrote to memory of 4236 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 4936 wrote to memory of 4236 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 4936 wrote to memory of 4236 4936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 4236 wrote to memory of 3624 4236 csrss.exe csrss.exe PID 4236 wrote to memory of 3624 4236 csrss.exe csrss.exe PID 4236 wrote to memory of 3624 4236 csrss.exe csrss.exe PID 4236 wrote to memory of 1620 4236 csrss.exe winlogon.exe PID 4236 wrote to memory of 1620 4236 csrss.exe winlogon.exe PID 4236 wrote to memory of 1620 4236 csrss.exe winlogon.exe PID 4284 wrote to memory of 4420 4284 bgvdci.exe bgvdci.exe PID 4284 wrote to memory of 4420 4284 bgvdci.exe bgvdci.exe PID 4284 wrote to memory of 4420 4284 bgvdci.exe bgvdci.exe PID 1372 wrote to memory of 728 1372 svchost.exe svchost.exe PID 1372 wrote to memory of 728 1372 svchost.exe svchost.exe PID 1372 wrote to memory of 728 1372 svchost.exe svchost.exe PID 3624 wrote to memory of 4780 3624 csrss.exe cmd.exe PID 3624 wrote to memory of 4780 3624 csrss.exe cmd.exe PID 3624 wrote to memory of 4780 3624 csrss.exe cmd.exe PID 4704 wrote to memory of 4404 4704 Jkcde.exe Jkcde.exe PID 4704 wrote to memory of 4404 4704 Jkcde.exe Jkcde.exe PID 4704 wrote to memory of 4404 4704 Jkcde.exe Jkcde.exe PID 4780 wrote to memory of 3676 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 3676 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 3676 4780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe"C:\Users\Admin\AppData\Local\Temp\22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeC:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dwm.exe"C:\Users\Admin\AppData\Local\Temp\dwm.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_��Э����GUID.exe"C:\Users\Admin\AppData\Local\Temp\_��Э����GUID.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeC:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\csrss.exe > nul4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exe"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\bgvdci.exeC:\Windows\bgvdci.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\bgvdci.exeC:\Windows\bgvdci.exe Win72⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Jkcde.exeC:\Windows\SysWOW64\Jkcde.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jkcde.exeC:\Windows\SysWOW64\Jkcde.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_������GUID.exeFilesize
2.7MB
MD55a70186f12dc3bae680bdd637cc8b219
SHA1f26d97a79ae181088687b8e6e4ea6d523dc37596
SHA25607ab9b63cf0a2d020d39f2fc894299315363cd3500b7224ce4a15e63ba336aac
SHA5120ca65d88a2c93de7defb6dbd8de86ff7ecf922579cc708f57d0bd2f711a7e0deeb41224b0c8a0b6c645cbcee4802699cceda232a2863d07d36187fa320c8a6eb
-
C:\Users\Admin\AppData\Local\Temp\_������GUID.exeFilesize
2.7MB
MD55a70186f12dc3bae680bdd637cc8b219
SHA1f26d97a79ae181088687b8e6e4ea6d523dc37596
SHA25607ab9b63cf0a2d020d39f2fc894299315363cd3500b7224ce4a15e63ba336aac
SHA5120ca65d88a2c93de7defb6dbd8de86ff7ecf922579cc708f57d0bd2f711a7e0deeb41224b0c8a0b6c645cbcee4802699cceda232a2863d07d36187fa320c8a6eb
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Users\Admin\AppData\Local\Temp\dwm.exeFilesize
943KB
MD5065fa2244dc34f5acdfc1051bfee419f
SHA1ef7f27a78a855f494ac36c05f4c77e7b51e0f0d1
SHA2564267f2927c21c277e4d3d6ca0d8481893d9633466c603d630d8aec9f275d5423
SHA512d8347609c4a10c821f01a3ea5a03e07477c6ee7aaa9293682eba8216808ba508a3693c2615273f3e8803801082994bf2ca2b646aa0f72806ea83581adb985eeb
-
C:\Users\Admin\AppData\Local\Temp\dwm.exeFilesize
943KB
MD5065fa2244dc34f5acdfc1051bfee419f
SHA1ef7f27a78a855f494ac36c05f4c77e7b51e0f0d1
SHA2564267f2927c21c277e4d3d6ca0d8481893d9633466c603d630d8aec9f275d5423
SHA512d8347609c4a10c821f01a3ea5a03e07477c6ee7aaa9293682eba8216808ba508a3693c2615273f3e8803801082994bf2ca2b646aa0f72806ea83581adb985eeb
-
C:\Users\Admin\AppData\Local\Temp\nsqE273.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeFilesize
609KB
MD5ff64d99b1ce683431a98af3c9a01c146
SHA12ccc728a6a4f293e5c744ee67293f03493ef50b9
SHA256b3f275b1985c82b9059522c91506af08524dad359f17e80b7fa621819da3ba70
SHA5123e7db53dc632ab79ac97ae4855a44ef1275830054abc19269f4e1da2021af13587e5582fed595c2fe7b582651c163aabd978ca1e4d6eee4fe4dc23797a587f96
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeFilesize
609KB
MD5ff64d99b1ce683431a98af3c9a01c146
SHA12ccc728a6a4f293e5c744ee67293f03493ef50b9
SHA256b3f275b1985c82b9059522c91506af08524dad359f17e80b7fa621819da3ba70
SHA5123e7db53dc632ab79ac97ae4855a44ef1275830054abc19269f4e1da2021af13587e5582fed595c2fe7b582651c163aabd978ca1e4d6eee4fe4dc23797a587f96
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeFilesize
2.5MB
MD5360d04bba9afd0bac662d2d2cd9546c5
SHA1f7663900accb6ab3e9ecbbf4615e86a052d5b1cc
SHA256c3b3fb8205a448486664d6336075c4dfdf4836b159e7532c63d92c2d4f0d07c2
SHA512b8e196f5809a796f7243d1c0b607fc768b8aa311db099ab80f69bc6fad549d54519ba937efb84978cd5d7f139ab30291fe56589e896362b5a7a3babd39133716
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeFilesize
2.5MB
MD5360d04bba9afd0bac662d2d2cd9546c5
SHA1f7663900accb6ab3e9ecbbf4615e86a052d5b1cc
SHA256c3b3fb8205a448486664d6336075c4dfdf4836b159e7532c63d92c2d4f0d07c2
SHA512b8e196f5809a796f7243d1c0b607fc768b8aa311db099ab80f69bc6fad549d54519ba937efb84978cd5d7f139ab30291fe56589e896362b5a7a3babd39133716
-
C:\WINDOWS\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Windows\bgvdci.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Windows\bgvdci.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Windows\bgvdci.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
memory/220-133-0x0000000000000000-mapping.dmp
-
memory/728-206-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/728-204-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/728-202-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/728-189-0x0000000000000000-mapping.dmp
-
memory/1372-217-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1372-174-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1372-170-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1372-183-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1488-149-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/1488-139-0x0000000000000000-mapping.dmp
-
memory/1620-201-0x0000000010015000-0x0000000010018000-memory.dmpFilesize
12KB
-
memory/1620-171-0x0000000000000000-mapping.dmp
-
memory/1620-192-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/3624-187-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/3624-164-0x0000000000000000-mapping.dmp
-
memory/3624-169-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/3624-179-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/3624-176-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/3676-213-0x0000000000000000-mapping.dmp
-
memory/3896-142-0x0000000000000000-mapping.dmp
-
memory/3896-158-0x0000000000400000-0x00000000006D4000-memory.dmpFilesize
2.8MB
-
memory/3896-215-0x0000000000400000-0x00000000006D4000-memory.dmpFilesize
2.8MB
-
memory/4236-146-0x0000000000000000-mapping.dmp
-
memory/4404-218-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4404-214-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4404-205-0x0000000000000000-mapping.dmp
-
memory/4420-181-0x0000000000000000-mapping.dmp
-
memory/4548-153-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/4548-159-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/4548-145-0x0000000000000000-mapping.dmp
-
memory/4548-216-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/4548-156-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/4548-157-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/4584-136-0x0000000000000000-mapping.dmp
-
memory/4704-209-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4704-193-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4704-190-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4704-186-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4780-203-0x0000000000000000-mapping.dmp