6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

Analysis

max time kernel
160s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
Size

238KB
MD5

f8715f5098e39d13fa1bfe96fbe3cd0b
SHA1

2bd80a2518ae9e8bb889cfa56310171920532a95
SHA256

6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df
SHA512

6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b
SSDEEP

6144:BwvISTVRlLhA6AOEJUTigG2PqNbFRgsqCqyhbbFDlv6b:BwvHTVy6AOE/gVCblts

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe = "C:\\Users\\Admin\\AppData\\Roaming\\%$User_Profile%\\SERV.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1880	authz.exe
1796	BioCredProv.exe
1628	authz.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1080-58-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-60-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-61-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-64-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-67-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-69-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1080-68-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1880	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Authorization Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\authz.exe"	authz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Authorization Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\authz.exe"	authz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1796 set thread context of 1612	1796	BioCredProv.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1728	reg.exe
1044	reg.exe
804	reg.exe
1588	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1880	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1796	BioCredProv.exe
1796	BioCredProv.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1628	authz.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
1628	authz.exe
1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
Token: 1	1080	AppLaunch.exe
Token: SeCreateTokenPrivilege	1080	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	1080	AppLaunch.exe
Token: SeLockMemoryPrivilege	1080	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	1080	AppLaunch.exe
Token: SeMachineAccountPrivilege	1080	AppLaunch.exe
Token: SeTcbPrivilege	1080	AppLaunch.exe
Token: SeSecurityPrivilege	1080	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1080	AppLaunch.exe
Token: SeLoadDriverPrivilege	1080	AppLaunch.exe
Token: SeSystemProfilePrivilege	1080	AppLaunch.exe
Token: SeSystemtimePrivilege	1080	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1080	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1080	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1080	AppLaunch.exe
Token: SeCreatePermanentPrivilege	1080	AppLaunch.exe
Token: SeBackupPrivilege	1080	AppLaunch.exe
Token: SeRestorePrivilege	1080	AppLaunch.exe
Token: SeShutdownPrivilege	1080	AppLaunch.exe
Token: SeDebugPrivilege	1080	AppLaunch.exe
Token: SeAuditPrivilege	1080	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1080	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1080	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1080	AppLaunch.exe
Token: SeUndockPrivilege	1080	AppLaunch.exe
Token: SeSyncAgentPrivilege	1080	AppLaunch.exe
Token: SeEnableDelegationPrivilege	1080	AppLaunch.exe
Token: SeManageVolumePrivilege	1080	AppLaunch.exe
Token: SeImpersonatePrivilege	1080	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1080	AppLaunch.exe
Token: 31	1080	AppLaunch.exe
Token: 32	1080	AppLaunch.exe
Token: 33	1080	AppLaunch.exe
Token: 34	1080	AppLaunch.exe
Token: 35	1080	AppLaunch.exe
Token: SeDebugPrivilege	1880	authz.exe
Token: SeDebugPrivilege	1796	BioCredProv.exe
Token: SeDebugPrivilege	1628	authz.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1080	AppLaunch.exe
1080	AppLaunch.exe
1080	AppLaunch.exe
1080	AppLaunch.exe
1612	AppLaunch.exe
1612	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1356 wrote to memory of 1080	1356	6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe	28
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 588	1080	AppLaunch.exe	29
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 1496	1080	AppLaunch.exe	30
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 764	1080	AppLaunch.exe	32
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1080 wrote to memory of 1828	1080	AppLaunch.exe	35
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 1496 wrote to memory of 1728	1496	cmd.exe	37
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 764 wrote to memory of 1044	764	cmd.exe	38
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 588 wrote to memory of 804	588	cmd.exe	39
PID 1828 wrote to memory of 1588	1828	cmd.exe	40
PID 1828 wrote to memory of 1588	1828	cmd.exe	40
PID 1828 wrote to memory of 1588	1828	cmd.exe	40
PID 1828 wrote to memory of 1588	1828	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe
"C:\Users\Admin\AppData\Local\Temp\6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\%$User_Profile%\SERV.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe
    "C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1612
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe

Filesize
238KB

MD5
f8715f5098e39d13fa1bfe96fbe3cd0b

SHA1
2bd80a2518ae9e8bb889cfa56310171920532a95

SHA256
6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

SHA512
6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BioCredProv.exe

Filesize
238KB

MD5
f8715f5098e39d13fa1bfe96fbe3cd0b

SHA1
2bd80a2518ae9e8bb889cfa56310171920532a95

SHA256
6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

SHA512
6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
\Users\Admin\AppData\Local\Temp\BioCredProv.exe

Filesize
238KB

MD5
f8715f5098e39d13fa1bfe96fbe3cd0b

SHA1
2bd80a2518ae9e8bb889cfa56310171920532a95

SHA256
6a9131422df3c9003a8fa62a055604d89cc044b2c5415d84496db13580dcb6df

SHA512
6dd0b2f303f44e9ab07ef0657013bf02f39e934bf631606aea9af9ff82069ac0191758c6942ca97b6e096acf0f94e5982761475d226701795e140768adc8f21b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\authz.exe

Filesize
13KB

MD5
406e0d77797a0e65a5b8e47c4f64f7ef

SHA1
bc27e2cd023078b1e5eba518b40d652186e7cdc0

SHA256
ac7b35411b98743cd307ef14e29986f355c1cbc835e52199138cc60083cc7911

SHA512
ce66ce770c5c3fdee8c6dacb45a99d967239f51409da6b86d7ddbaa6c5823e608d16e0103f4442a2f04f93bc852d73f06a77db5e44bc27f54fca683e43bb3ef1

Download Submit
memory/1080-87-0x000000000044E000-0x000000000047A000-memory.dmp

Filesize
176KB

Download
memory/1080-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-60-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1080-90-0x000000000044E000-0x000000000047A000-memory.dmp

Filesize
176KB

Download
memory/1080-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-56-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-127-0x000000000044E000-0x000000000047A000-memory.dmp

Filesize
176KB

Download
memory/1628-110-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-108-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-102-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-109-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-103-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-101-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download