ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b

Analysis

max time kernel
34s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
Size

895KB
MD5

91c74045c22cda53e2c8ce28c6b0f864
SHA1

181a3fbf00c45f02c52baae80eed10419d01bb1e
SHA256

ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b
SHA512

0e1884357b4093e66fe108595b9257bbad96962133a862b4cb8c1f828e2e0c6eb4877eef3a7719caed156b71e5aa46e3c6823ac8280aebc089b42b6c79af6756
SSDEEP

12288:4swGFtMCVAJv5/EuT0EWFOaiv5z21fx9bSjk6CUbSjXUnY7iUnY7W96I/9:hnFtBVAxPZWFOaau29kCYGCYK960

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-54-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/1708-56-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVFZGDV = "C:\\Windows\\PNVEFNTWM.COM"	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\BTHUDTASK.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CTTUNESVR.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\DCCW.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DVDUPGRD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CALC.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DISPLAYSWITCH.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\en-US\COMREPL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\AUTOCHK.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CTTUNESVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DEVICEPROPERTIES.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DCCW.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\fr-FR\COMREPL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ARP.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CERTUTIL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CLIP.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CERTREQ.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\AUTOFMT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DVDPLAY.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\es-ES\MIGREGDB.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CTFMON.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DOSKEY.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DRVINST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\BOOTCFG.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\COMP.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DISM.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DPISCALING.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\ATTRIB.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\DCOMCNFG.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CHKDSK.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CMDKEY.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CERTENROLLCTRL.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\COLORCPL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\EHSTORAUTHN.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DRIVERQUERY.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CHKDSK.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CTTUNE.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ADAPTERTROUBLESHOOTER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\AUDIODG.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DCOMCNFG.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CIPHER.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\AUTOCONV.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\COMPUTERDEFAULTS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DXDIAG.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\BTHUDTASK.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CHOICE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CSRSS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CMSTP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ATBROKER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\EUDCEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\EVENTCREATE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CMDL32.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\CMMON32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DFRGUI.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\AUTOCONV.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CHARMAP.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CMMON32.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\MIGREGDB.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\AT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\COMPACT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\EXPAND.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\AUTOCHK.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\CERTUTIL.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\es-ES\COMREPL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\SysWOW64\com\ja-JP\COMREPL.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Boot\PCAT\en-US\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\hu-HU\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHEXTHOST.EXE.CONFIG	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHSHELL.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\de-DE\MEMTEST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\fr-FR\EHPRIVJOB.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\MCGLIDHOST.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ja-JP\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\it-IT\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\pt-PT\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\de-DE\FVEUPDATE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHREC.EXE.CONFIG	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ja-JP\FVEUPDATE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\BFSVC.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHRECVR.EXE.CONFIG	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\EHMSAS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\fr-FR\EHMSAS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\en-US\REGEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\it-IT\HELPPANE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ja-JP\HELPPANE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\nb-NO\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHRECVR.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\fr-FR\MCUPDATE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\WTVCONVERTER.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\es-ES\EXPLORER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\fr-FR\REGEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Speech\Common\en-US\SAPISVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\es-ES\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\de-DE\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\en-US\EHMSAS.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\it-IT\EHREC.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\en-US\HELPPANE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Speech\Common\de-DE\SAPISVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Speech\Common\fr-FR\SAPISVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\cs-CZ\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\it-IT\MEMTEST.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\zh-CN\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\de-DE\BFSVC.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\EHPRIVJOB.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\EHREC.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\EHRECVR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\it-IT\EHSCHED.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\ja-JP\EHSCHED.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\MEDIACENTERWEBLAUNCHER.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\en-US\NOTEPAD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\es-ES\NOTEPAD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\es-ES\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\HH.EXE	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\Boot\PCAT\zh-TW\BOOTMGR.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\de-DE\EHPRIVJOB.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\en-US\EHSCHED.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\EHVID.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\ja-JP\EHVID.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\es-ES\REGEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\fr-FR\NOTEPAD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\fr-FR\WINHLP32.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\it-IT\NOTEPAD.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\EHSCHED.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\es-ES\MCUPDATE.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\it-IT\REGEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\servicing\fr-FR\TRUSTEDINSTALLER.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\de-DE\REGEDIT.EXE.MUI	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
File opened for modification	C:\Windows\ehome\MEDIACENTERWEBLAUNCHER.EXE.MANIFEST	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	1708	WerFault.exe	11

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1712	1708	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe	26
PID 1708 wrote to memory of 1712	1708	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe	26
PID 1708 wrote to memory of 1712	1708	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe	26
PID 1708 wrote to memory of 1712	1708	ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe	26

C:\Users\Admin\AppData\Local\Temp\ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe
"C:\Users\Admin\AppData\Local\Temp\ddae22e5250bbef8d5201d2be4700c650f9c764f1654c9dce347a5e03ffd926b.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 124
  2⤵
  - Program crash
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1708-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download