6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

Analysis

max time kernel
139s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Size

1.3MB
MD5

410612cb41fe82d39059b48a43f02136
SHA1

67f7fd1fa044aaaa96e3eae0e721c7d470fa6703
SHA256

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36
SHA512

41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e
SSDEEP

12288:yZM3GMiUdXrc0y+QjmcgrAtUwo4rwjVjRCTnZ2V/O:y9qwodjVjMTn4G

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZZknjnfvcs\\Conhost.exe"	reg.exe

Executes dropped EXE 4 IoCs

Processes:

svhost.exeConhost.exesvhost.exeConhost.exe

pid process

2028 svhost.exe
556 Conhost.exe
1808 svhost.exe
1740 Conhost.exe
Loads dropped DLL 6 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.execmd.exeConhost.exe

pid process

1500 6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1788 cmd.exe
1788 cmd.exe
556 Conhost.exe
1788 cmd.exe
1788 cmd.exe

pid	process
2028	svhost.exe
556	Conhost.exe
1808	svhost.exe
1740	Conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exeConhost.exe

description	pid	process	target process
PID 1500 set thread context of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 556 set thread context of 1808	556	Conhost.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2044 timeout.exe
1412 timeout.exe
664 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1292 tasklist.exe
1680 tasklist.exe

pid	process
2044	timeout.exe
1412	timeout.exe
664	timeout.exe

pid	process
1292	tasklist.exe
1680	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000f4667349f719ccd4b94857118e401c0af7d2232a7a1c1ff8df819106230641bb000000000e800000000200002000000085f15b006e82c3a8f99712e2fbae297026e72cce8180935ef184a49db0a6675420000000df752d8998fd2449addc641849539df7bae09ca56c37c26cf15746826b21b615400000000064dc1247d23ca5f0a48f1c29ff60a25dbe51c2821217ba1ffa26e002500ead8fba2c8a307257d10cd4bc038171d82f1ddb684de4a53f755ff05bada82fcd1a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5047237f5504d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376534257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4415271-7048-11ED-B4FB-76D99E3F6056} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000006b2c8100afd630b902d4410e080780060f9f53210708df118a9d89a52381a7e2000000000e80000000020000200000006915587e6e85797f418c812686998c061bbbee3735a7be24727cffac03f03b8b900000003bafcf7f2fc9ad25b9420d9fd72dfa735f40799f3bd0ca43280885b328e8d70f1c0303f09d99349aed0c106d11ba3e23007d36839735043914ff0f297317243b126794c8646e53398b67ce0238367d988c2fba6feff514b5d68ac7fc3ed514533ee8ab93cfcd1d6417ecac3188db4c2dcef7cbf23dec7145f5ea97548838a85983f16feca236b6440c9ea31361029727400000006760f8a390086724a9ad4697732d051bfcb35e865bdc46441ea55285d53d55c4a3ae7b183584f91b142df2e6519cc7d885da39d7992626a2615c7ce353bc8e36	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exeConhost.exeiexplore.exeConhost.exe

pid	process
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
556	Conhost.exe
556	Conhost.exe
556	Conhost.exe
556	Conhost.exe
556	Conhost.exe
556	Conhost.exe
728	iexplore.exe
1740	Conhost.exe
1740	Conhost.exe
1740	Conhost.exe
1740	Conhost.exe
1740	Conhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exetasklist.exeConhost.exetasklist.exeConhost.exe

description	pid	process
Token: SeDebugPrivilege	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: 33	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: SeIncBasePriorityPrivilege	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
Token: SeDebugPrivilege	1292	tasklist.exe
Token: SeDebugPrivilege	556	Conhost.exe
Token: 33	556	Conhost.exe
Token: SeIncBasePriorityPrivilege	556	Conhost.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	1740	Conhost.exe
Token: 33	1740	Conhost.exe
Token: SeIncBasePriorityPrivilege	1740	Conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

728 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
728	iexplore.exe
728	iexplore.exe
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.execmd.exewscript.execmd.exesvhost.execmd.exeiexplore.exeConhost.exe

description	pid	process	target process
PID 1500 wrote to memory of 1120	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1120	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1120	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1120	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1500 wrote to memory of 2028	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	svhost.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	wscript.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	wscript.exe
PID 556 wrote to memory of 536	556	wscript.exe	cmd.exe
PID 556 wrote to memory of 536	556	wscript.exe	cmd.exe
PID 556 wrote to memory of 536	556	wscript.exe	cmd.exe
PID 556 wrote to memory of 536	556	wscript.exe	cmd.exe
PID 536 wrote to memory of 560	536	cmd.exe	reg.exe
PID 536 wrote to memory of 560	536	cmd.exe	reg.exe
PID 536 wrote to memory of 560	536	cmd.exe	reg.exe
PID 536 wrote to memory of 560	536	cmd.exe	reg.exe
PID 1500 wrote to memory of 1788	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1788	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1788	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1788	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 2028 wrote to memory of 728	2028	svhost.exe	iexplore.exe
PID 2028 wrote to memory of 728	2028	svhost.exe	iexplore.exe
PID 2028 wrote to memory of 728	2028	svhost.exe	iexplore.exe
PID 2028 wrote to memory of 728	2028	svhost.exe	iexplore.exe
PID 1500 wrote to memory of 1812	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1812	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1812	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1500 wrote to memory of 1812	1500	6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe	cmd.exe
PID 1788 wrote to memory of 2044	1788	cmd.exe	timeout.exe
PID 1788 wrote to memory of 2044	1788	cmd.exe	timeout.exe
PID 1788 wrote to memory of 2044	1788	cmd.exe	timeout.exe
PID 1788 wrote to memory of 2044	1788	cmd.exe	timeout.exe
PID 728 wrote to memory of 1220	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 1220	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 1220	728	iexplore.exe	IEXPLORE.EXE
PID 728 wrote to memory of 1220	728	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1292	1788	cmd.exe	tasklist.exe
PID 1788 wrote to memory of 1292	1788	cmd.exe	tasklist.exe
PID 1788 wrote to memory of 1292	1788	cmd.exe	tasklist.exe
PID 1788 wrote to memory of 1292	1788	cmd.exe	tasklist.exe
PID 1788 wrote to memory of 1724	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 1724	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 1724	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 1724	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 556	1788	cmd.exe	Conhost.exe
PID 1788 wrote to memory of 556	1788	cmd.exe	Conhost.exe
PID 1788 wrote to memory of 556	1788	cmd.exe	Conhost.exe
PID 1788 wrote to memory of 556	1788	cmd.exe	Conhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe
PID 556 wrote to memory of 1808	556	Conhost.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe
"C:\Users\Admin\AppData\Local\Temp\6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:560

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:4207621 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:728 CREDAT:1258514 /prefetch:2
4⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
3⤵
- Delays execution with timeout.exe
PID:2044

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq svhost .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\find.exe
find /i "svhost .exe"
3⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
"C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
4⤵
- Executes dropped EXE
PID:1808

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
3⤵
- Delays execution with timeout.exe
PID:1412

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq svhost .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\find.exe
find /i "svhost .exe"
3⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
"C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
4⤵
PID:1188

C:\Windows\SysWOW64\timeout.exe
timeout /t 60
3⤵
- Delays execution with timeout.exe
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.bat
2⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.1MB

MD5
a266e78fe04a69c9bb156cad257eb65e

SHA1
df3fa6d615a0c594b066086f2b0bde055611625c

SHA256
9cff09f7eeb986b873243b369d5428cc388e2c9198448e992f8dc522ade7d064

SHA512
5d3d8153b44d8b04be68caffff7c8e714360266a0d9c54617dcff800e513e815708f3f726bf3c944afddeeb6e266c3315e1e8188cb65ec5e86c56825aeea3001

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata.bat
Filesize
70B

MD5
17658b3d0a055fb3c516f328657b1051

SHA1
2a3fc5831f96e2cf974471c38b9e589956c151ef

SHA256
0ae91ee491e8a09058a9212ad0924153c9eed7b7ff48f9b374b0cc3d75a4e17f

SHA512
919881bd8a16a1e9c3df0bd0523196ea3f8f8363d26429be0ea334aa83cb2eb5cb73c3bf284186654642f9ba46e14b998cc472e9cfda34dd1975a0659f7d8126

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\mata2.bat
Filesize
270B

MD5
04d4c88cb0021bd60dcc8e1c07386d4a

SHA1
d21768e0707d5c38cb4b94ecfe4418b8d817e068

SHA256
c59ba5ded9790de55f0fa3df9eedd06adad0c2a6b38f0291a5b1c904157b065b

SHA512
42cc4fa0c8ac7aca8b8ee9bab87e95261aaf65612e0b33830efa580bc3a22ee4c1a53c061f70cf8b57676c63a23520d7a337ad8b78f14675fe648893ffe6ba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\melt.bat
Filesize
120B

MD5
25730eb2d1ae73e5ccd756cc6b61f4d2

SHA1
7eafc9463099578927f06b40c684de6f6ad1065f

SHA256
5f31e2195f7beb7d29573a5a781610dbc5fd077dd9ad78acc886fdcd3acb024f

SHA512
9d250de84934b6f5ce2997d5f91d15b731780345fb19a710f32728a2273397b5b538e2ce9c62a03a49ddd0b3d79de234c5fa12624518c6c20cf445c17354aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat
Filesize
211B

MD5
18ea8efac3f2cfc8154015a96b3a159f

SHA1
461cb487adbc0721b8d21da7b97f790c9c6869db

SHA256
80efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2

SHA512
190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat
Filesize
211B

MD5
18ea8efac3f2cfc8154015a96b3a159f

SHA1
461cb487adbc0721b8d21da7b97f790c9c6869db

SHA256
80efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2

SHA512
190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\svhost.bat
Filesize
211B

MD5
18ea8efac3f2cfc8154015a96b3a159f

SHA1
461cb487adbc0721b8d21da7b97f790c9c6869db

SHA256
80efc38401320040db9885e0d801306b22cad5fb56fa6a70eece8beeff1c62f2

SHA512
190cc74fd824f84b94109b73e4ff39913dd983afd562bf75e0137c372230ce191c181f50e9cef28afc198aee88a70b6fd4223e8379d5ea6c4378d392ab61a351

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UV18F0B5.txt
Filesize
603B

MD5
7d38696701203e82bbb09fb8a3913245

SHA1
27f7154c6a3b388656cad1cfba908ae33a68f188

SHA256
56e08ee0a32a6dbfa6aadc97c7b0ca35452827e8e21575c2fc98f897dfc711a1

SHA512
10151f91d7b1b28d13e1bf0555897be939859e3c6307374613ff71f3c12e5fda9549db2ad8655a29ef91deafa81d8bb55f1d8876b16952905c1e691d40f5774b

Download Submit
\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
917KB

MD5
d4c2ec5a3dbf948107a1375e9e024e94

SHA1
c207f969de9042fd54940a92bf868619ce8539a3

SHA256
d803d0f7f74d051f94d273b6b30ed2ffad021ebecdca22146b51b13f0d26ad4f

SHA512
0913ec7f345a38de0b477d323e4f882c966558bffbd25ff1517e4698193c50b24a8986f91111ae0802ec4d70e626145b44c723a4f8d06c25a1095741aa1a6428

Download Submit
\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
\Users\Admin\AppData\Local\Temp\ZZknjnfvcs\Conhost.exe
Filesize
1.3MB

MD5
410612cb41fe82d39059b48a43f02136

SHA1
67f7fd1fa044aaaa96e3eae0e721c7d470fa6703

SHA256
6411d6c24280f07a64248e1442cad9138df636556f6c388c31e9df3907bb4d36

SHA512
41440fba7d996907b23078813a0a1f980c3b6a7fe0379a818f9168ede2ded240346059087be9f816d7e87ca100fd50781e9743f955948a8abf35b83ea40a8b9e

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
memory/536-76-0x0000000000000000-mapping.dmp

Download
memory/556-107-0x0000000071740000-0x0000000071CEB000-memory.dmp

Filesize
5.7MB

Download
memory/556-110-0x0000000071740000-0x0000000071CEB000-memory.dmp

Filesize
5.7MB

Download
memory/556-68-0x0000000000000000-mapping.dmp

Download
memory/556-90-0x0000000000000000-mapping.dmp

Download
memory/560-77-0x0000000000000000-mapping.dmp

Download
memory/664-138-0x0000000000000000-mapping.dmp

Download
memory/896-114-0x0000000000000000-mapping.dmp

Download
memory/1120-56-0x0000000000000000-mapping.dmp

Download
memory/1188-130-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1188-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1188-127-0x000000000041952E-mapping.dmp

Download
memory/1292-86-0x0000000000000000-mapping.dmp

Download
memory/1412-112-0x0000000000000000-mapping.dmp

Download
memory/1500-85-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1500-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1500-55-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1680-113-0x0000000000000000-mapping.dmp

Download
memory/1724-87-0x0000000000000000-mapping.dmp

Download
memory/1740-136-0x00000000716F0000-0x0000000071C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-134-0x00000000716F0000-0x0000000071C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-117-0x0000000000000000-mapping.dmp

Download
memory/1788-79-0x0000000000000000-mapping.dmp

Download
memory/1808-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1808-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1808-100-0x000000000041952E-mapping.dmp

Download
memory/1812-81-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2028-65-0x000000000041952E-mapping.dmp

Download
memory/2044-83-0x0000000000000000-mapping.dmp

Download