38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c

Analysis

max time kernel
153s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
Size

460KB
MD5

5ea129b89440008e1e26ec68000d041b
SHA1

6e7203625e657415245e4344df8d2cf31fd66cf0
SHA256

38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c
SHA512

110c8caa5ed67705ec12b8bc764bc84455e5a14ae410ebac300eee21b29664c2c3ae188aca3a9d01aeb1bf64c300be19279d57b90102c00a3d5050dc1d2eb714
SSDEEP

12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	iBdqphzke5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fuowuoy.exe

Executes dropped EXE 7 IoCs

pid	Process
964	iBdqphzke5.exe
960	fuowuoy.exe
1892	astat.exe
1812	astat.exe
1656	dstat.exe
1896	fstat.exe
336	csrss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-82-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1812-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1812-84-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1812-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1812-89-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1812-100-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
588	cmd.exe

Loads dropped DLL 10 IoCs

pid	Process
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
964	iBdqphzke5.exe
964	iBdqphzke5.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /b"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /W"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /x"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /D"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /U"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /O"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /K"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /j"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /X"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /o"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /e"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /M"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /Y"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /H"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /c"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /T"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /L"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /J"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /f"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /t"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /C"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /m"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /l"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /n"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /Q"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /i"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /P"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /p"	fuowuoy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iBdqphzke5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /N"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /S"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /R"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /g"	iBdqphzke5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /h"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /E"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /k"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /g"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /v"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /a"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /u"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /I"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /A"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /F"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /q"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /G"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /V"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /r"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /w"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /z"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /B"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /y"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /d"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /Z"	fuowuoy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuowuoy = "C:\\Users\\Admin\\fuowuoy.exe /s"	fuowuoy.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fuowuoy.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 1812	1892	astat.exe	30
PID 1896 set thread context of 1552	1896	fstat.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1816	tasklist.exe
584	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
964	iBdqphzke5.exe
964	iBdqphzke5.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
960	fuowuoy.exe
1812	astat.exe
960	fuowuoy.exe
1812	astat.exe
1812	astat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	tasklist.exe
Token: SeDebugPrivilege	1896	fstat.exe
Token: SeDebugPrivilege	1896	fstat.exe
Token: SeDebugPrivilege	584	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
964	iBdqphzke5.exe
960	fuowuoy.exe
1892	astat.exe
1656	dstat.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 964	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	27
PID 1076 wrote to memory of 964	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	27
PID 1076 wrote to memory of 964	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	27
PID 1076 wrote to memory of 964	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	27
PID 964 wrote to memory of 960	964	iBdqphzke5.exe	28
PID 964 wrote to memory of 960	964	iBdqphzke5.exe	28
PID 964 wrote to memory of 960	964	iBdqphzke5.exe	28
PID 964 wrote to memory of 960	964	iBdqphzke5.exe	28
PID 1076 wrote to memory of 1892	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	29
PID 1076 wrote to memory of 1892	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	29
PID 1076 wrote to memory of 1892	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	29
PID 1076 wrote to memory of 1892	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	29
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 1892 wrote to memory of 1812	1892	astat.exe	30
PID 964 wrote to memory of 1364	964	iBdqphzke5.exe	31
PID 964 wrote to memory of 1364	964	iBdqphzke5.exe	31
PID 964 wrote to memory of 1364	964	iBdqphzke5.exe	31
PID 964 wrote to memory of 1364	964	iBdqphzke5.exe	31
PID 1364 wrote to memory of 1816	1364	cmd.exe	33
PID 1364 wrote to memory of 1816	1364	cmd.exe	33
PID 1364 wrote to memory of 1816	1364	cmd.exe	33
PID 1364 wrote to memory of 1816	1364	cmd.exe	33
PID 1076 wrote to memory of 1656	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	35
PID 1076 wrote to memory of 1656	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	35
PID 1076 wrote to memory of 1656	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	35
PID 1076 wrote to memory of 1656	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	35
PID 960 wrote to memory of 1816	960	fuowuoy.exe	33
PID 960 wrote to memory of 1816	960	fuowuoy.exe	33
PID 1076 wrote to memory of 1896	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	36
PID 1076 wrote to memory of 1896	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	36
PID 1076 wrote to memory of 1896	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	36
PID 1076 wrote to memory of 1896	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	36
PID 1896 wrote to memory of 1256	1896	fstat.exe	14
PID 1896 wrote to memory of 336	1896	fstat.exe	6
PID 1896 wrote to memory of 1552	1896	fstat.exe	37
PID 1896 wrote to memory of 1552	1896	fstat.exe	37
PID 1896 wrote to memory of 1552	1896	fstat.exe	37
PID 1896 wrote to memory of 1552	1896	fstat.exe	37
PID 1896 wrote to memory of 1552	1896	fstat.exe	37
PID 1076 wrote to memory of 588	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	39
PID 1076 wrote to memory of 588	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	39
PID 1076 wrote to memory of 588	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	39
PID 1076 wrote to memory of 588	1076	38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe	39
PID 588 wrote to memory of 584	588	cmd.exe	41
PID 588 wrote to memory of 584	588	cmd.exe	41
PID 588 wrote to memory of 584	588	cmd.exe	41
PID 588 wrote to memory of 584	588	cmd.exe	41

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
  "C:\Users\Admin\AppData\Local\Temp\38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\iBdqphzke5.exe
    C:\Users\Admin\iBdqphzke5.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Users\Admin\fuowuoy.exe
      "C:\Users\Admin\fuowuoy.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
- - C:\Users\Admin\astat.exe
    C:\Users\Admin\astat.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\astat.exe
      "C:\Users\Admin\astat.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1812
- - C:\Users\Admin\dstat.exe
    C:\Users\Admin\dstat.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Users\Admin\fstat.exe
    C:\Users\Admin\fstat.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 38b81f427b8d65a31b8cfc5098ab6bb823f6c8b22b2de5a558c042c09be4774c.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
C:\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
C:\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
C:\Users\Admin\fuowuoy.exe

Filesize
244KB

MD5
aaee8074e0a287cc3a1e69961b10f430

SHA1
fb66b39304810e6a7cf7e250974f72374772aa37

SHA256
60ecd88a51ecfd216584d01d6d08cc7cc804eb89d00d40b9cf06f4e357f5f37d

SHA512
77e9593cca7bb2329bae6ec07b73235c896718cc702b84f04860f30597918327ae583ab831e4e7a305b10acbb8daec4bd76a21ef0ccc2044a13fc1bb05d1a9ec

Download Submit
C:\Users\Admin\fuowuoy.exe

Filesize
244KB

MD5
aaee8074e0a287cc3a1e69961b10f430

SHA1
fb66b39304810e6a7cf7e250974f72374772aa37

SHA256
60ecd88a51ecfd216584d01d6d08cc7cc804eb89d00d40b9cf06f4e357f5f37d

SHA512
77e9593cca7bb2329bae6ec07b73235c896718cc702b84f04860f30597918327ae583ab831e4e7a305b10acbb8daec4bd76a21ef0ccc2044a13fc1bb05d1a9ec

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
4d7cde615a0f534bd5e359951829554b

SHA1
c885d00d9000f2a5dbc78f6193a052b36f4fe968

SHA256
414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

SHA512
33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

Download Submit
\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
\Users\Admin\fuowuoy.exe

Filesize
244KB

MD5
aaee8074e0a287cc3a1e69961b10f430

SHA1
fb66b39304810e6a7cf7e250974f72374772aa37

SHA256
60ecd88a51ecfd216584d01d6d08cc7cc804eb89d00d40b9cf06f4e357f5f37d

SHA512
77e9593cca7bb2329bae6ec07b73235c896718cc702b84f04860f30597918327ae583ab831e4e7a305b10acbb8daec4bd76a21ef0ccc2044a13fc1bb05d1a9ec

Download Submit
\Users\Admin\fuowuoy.exe

Filesize
244KB

MD5
aaee8074e0a287cc3a1e69961b10f430

SHA1
fb66b39304810e6a7cf7e250974f72374772aa37

SHA256
60ecd88a51ecfd216584d01d6d08cc7cc804eb89d00d40b9cf06f4e357f5f37d

SHA512
77e9593cca7bb2329bae6ec07b73235c896718cc702b84f04860f30597918327ae583ab831e4e7a305b10acbb8daec4bd76a21ef0ccc2044a13fc1bb05d1a9ec

Download Submit
\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
4d7cde615a0f534bd5e359951829554b

SHA1
c885d00d9000f2a5dbc78f6193a052b36f4fe968

SHA256
414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

SHA512
33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

Download Submit
memory/336-142-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/1076-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1256-133-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download
memory/1256-125-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download
memory/1256-129-0x00000000029D0000-0x00000000029D6000-memory.dmp

Filesize
24KB

Download
memory/1812-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-84-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1812-89-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1896-120-0x0000000003110000-0x000000000314D000-memory.dmp

Filesize
244KB

Download
memory/1896-121-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-123-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-119-0x00000000029E1000-0x00000000029EE000-memory.dmp

Filesize
52KB

Download
memory/1896-118-0x00000000029EE000-0x00000000029F2000-memory.dmp

Filesize
16KB

Download
memory/1896-117-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1896-124-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-134-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-135-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1896-137-0x00000000029E1000-0x00000000029EE000-memory.dmp

Filesize
52KB

Download
memory/1896-136-0x00000000029EE000-0x00000000029F2000-memory.dmp

Filesize
16KB

Download
memory/1896-138-0x0000000003110000-0x000000000314D000-memory.dmp

Filesize
244KB

Download
memory/1896-116-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-115-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-141-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-114-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-111-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-108-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-146-0x0000000003110000-0x000000000314D000-memory.dmp

Filesize
244KB

Download
memory/1896-145-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1896-147-0x00000000029E0000-0x0000000002A1D000-memory.dmp

Filesize
244KB

Download
memory/1896-107-0x0000000002380000-0x00000000023C6000-memory.dmp

Filesize
280KB

Download
memory/1896-106-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download