d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 00:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Size

56KB
MD5

a91fe0d26b0af6b1dabe09967a695b11
SHA1

49a9f02b485c99cb32c3658e6c5e3c943c9165be
SHA256

d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e
SHA512

a33ba44aa2845b95498d45e11222b8bf642179d53d168bfde086c4ebc5d07c21d2e91ada732a5b6db78a3fdb6bac8fd137a1baa813bee23872d50f195dd93f6b
SSDEEP

1536:EXAj4d9lZXp0RuoOlabXAdWE+4OnFokNx3aGGgo:Nalr0fOeXAdWEuXNxqGXo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	SafeSys.exe

Loads dropped DLL 3 IoCs

pid	Process
1032	Rundll32.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\G:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\H:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\I:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\K:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\P:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\S:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\V:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\B:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\F:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\L:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\M:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\O:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\U:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\X:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\Y:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\Z:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\R:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\A:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\J:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\N:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\Q:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\T:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened (read-only)	\??\W:	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 296	1964	SafeSys.exe	34

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ieowa.bak	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File opened for modification	C:\Program Files (x86)\Common Files\SafeSys.exe	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
File created	C:\Program Files (x86)\Common Files\SafeSys.exe	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sbjdc.fon	Rundll32.exe
File opened for modification	C:\Windows\Fonts\sbjdc.fon	Rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
Token: SeDebugPrivilege	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 632	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	28
PID 1520 wrote to memory of 632	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	28
PID 1520 wrote to memory of 632	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	28
PID 1520 wrote to memory of 632	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	28
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 632 wrote to memory of 1032	632	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	29
PID 1520 wrote to memory of 1964	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	33
PID 1520 wrote to memory of 1964	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	33
PID 1520 wrote to memory of 1964	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	33
PID 1520 wrote to memory of 1964	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	33
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1964 wrote to memory of 296	1964	SafeSys.exe	34
PID 1520 wrote to memory of 1172	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	35
PID 1520 wrote to memory of 1172	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	35
PID 1520 wrote to memory of 1172	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	35
PID 1520 wrote to memory of 1172	1520	d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe	35

C:\Users\Admin\AppData\Local\Temp\d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
"C:\Users\Admin\AppData\Local\Temp\d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe
  C:\Users\Admin\AppData\Local\Temp\d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e.exe -SafeSys
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\Rundll32.exe
    "C:\Windows\system32\Rundll32.exe" "C:\Program Files (x86)\ieowa.bak",MyDLLEntry
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1032
- C:\Program Files (x86)\Common Files\SafeSys.exe
  "C:\Program Files (x86)\Common Files\SafeSys.exe" SafeSys
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~orusq.bat
  2⤵
  PID:1172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\SafeSys.exe

Filesize
56KB

MD5
a91fe0d26b0af6b1dabe09967a695b11

SHA1
49a9f02b485c99cb32c3658e6c5e3c943c9165be

SHA256
d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e

SHA512
a33ba44aa2845b95498d45e11222b8bf642179d53d168bfde086c4ebc5d07c21d2e91ada732a5b6db78a3fdb6bac8fd137a1baa813bee23872d50f195dd93f6b

Download Submit
C:\Program Files (x86)\Common Files\SafeSys.exe

Filesize
56KB

MD5
a91fe0d26b0af6b1dabe09967a695b11

SHA1
49a9f02b485c99cb32c3658e6c5e3c943c9165be

SHA256
d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e

SHA512
a33ba44aa2845b95498d45e11222b8bf642179d53d168bfde086c4ebc5d07c21d2e91ada732a5b6db78a3fdb6bac8fd137a1baa813bee23872d50f195dd93f6b

Download Submit
C:\Program Files (x86)\ieowa.bak

Filesize
10KB

MD5
0a8d07ff358703bf65b83b09b7b78432

SHA1
2ad9134da8db9ce75489dcaed7ec8828b7ed0651

SHA256
93878bfdddfff8c1ad14af2bdae67a386d1bc8aac8ddb594c68898d90f5a0118

SHA512
3aa1dbe7016f856205d127e5ad29b723f80c7bd337419ab66d61e8cef2390cbe2df3418ca71a68ed88aa26e18551c2a94e532b5d7e36aa8fb4d7abb572856361

Download Submit
\Program Files (x86)\Common Files\SafeSys.exe

Filesize
56KB

MD5
a91fe0d26b0af6b1dabe09967a695b11

SHA1
49a9f02b485c99cb32c3658e6c5e3c943c9165be

SHA256
d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e

SHA512
a33ba44aa2845b95498d45e11222b8bf642179d53d168bfde086c4ebc5d07c21d2e91ada732a5b6db78a3fdb6bac8fd137a1baa813bee23872d50f195dd93f6b

Download Submit
\Program Files (x86)\Common Files\SafeSys.exe

Filesize
56KB

MD5
a91fe0d26b0af6b1dabe09967a695b11

SHA1
49a9f02b485c99cb32c3658e6c5e3c943c9165be

SHA256
d9318f0be41564bf6c33614d27fbcd97a11b3aec7c128fab62f75a123e3d920e

SHA512
a33ba44aa2845b95498d45e11222b8bf642179d53d168bfde086c4ebc5d07c21d2e91ada732a5b6db78a3fdb6bac8fd137a1baa813bee23872d50f195dd93f6b

Download Submit
\Program Files (x86)\ieowa.bak

Filesize
10KB

MD5
0a8d07ff358703bf65b83b09b7b78432

SHA1
2ad9134da8db9ce75489dcaed7ec8828b7ed0651

SHA256
93878bfdddfff8c1ad14af2bdae67a386d1bc8aac8ddb594c68898d90f5a0118

SHA512
3aa1dbe7016f856205d127e5ad29b723f80c7bd337419ab66d61e8cef2390cbe2df3418ca71a68ed88aa26e18551c2a94e532b5d7e36aa8fb4d7abb572856361

Download Submit
memory/296-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/296-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/632-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1032-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1520-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1520-72-0x0000000002CA0000-0x0000000002CD8000-memory.dmp

Filesize
224KB

Download
memory/1520-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1520-78-0x0000000002CA0000-0x0000000002CD8000-memory.dmp

Filesize
224KB

Download
memory/1520-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1520-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1964-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1964-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1964-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download