Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
Resource
win10v2004-20220812-en
General
-
Target
a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe
-
Size
524KB
-
MD5
223686ba9a056e632afd6a2204f75bf4
-
SHA1
fae4073f0f021bb46765fc8690f02d63369455b4
-
SHA256
a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82
-
SHA512
93a2196ad6a1c4c2cc4011382e838da145effa45270af695aa6e1bee40c9a2fd1ccc36bfa8a5a9a582ed9377e1bf90af16577c293c18ca30cbf28bfec4966b3d
-
SSDEEP
12288:m/XJJmzIMQL0sRjDGi5uj/C/OeP9TqdJy4Jt3E:mhJirsRjjkSUdJy4Jt3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xuecol.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qr5i4eI0.exe -
Executes dropped EXE 9 IoCs
pid Process 5044 qr5i4eI0.exe 832 2hum.exe 2164 2hum.exe 1412 2hum.exe 4192 2hum.exe 364 2hum.exe 4180 3hum.exe 1392 xuecol.exe 1664 4hum.exe -
resource yara_rule behavioral2/memory/2164-145-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2164-148-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2164-149-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1412-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4192-157-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/2164-160-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1412-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/364-166-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/4192-161-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/4192-167-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/364-171-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/364-173-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/1412-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/364-180-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/4192-181-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral2/memory/1412-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2164-183-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1412-191-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation qr5i4eI0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 94.242.250.64 -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /G" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /D" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /s" xuecol.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ qr5i4eI0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /k" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /c" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /t" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /C" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /i" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /W" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /Y" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /N" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /F" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /P" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /H" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /y" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /q" qr5i4eI0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /q" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /Z" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /R" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /V" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /a" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /l" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /h" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /v" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /f" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /w" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /x" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /o" xuecol.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /A" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /O" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /u" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /T" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /B" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /J" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /E" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /I" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /j" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /S" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /p" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /r" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /m" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /e" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /g" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /M" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /L" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /n" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /X" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /z" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /K" xuecol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuecol = "C:\\Users\\Admin\\xuecol.exe /b" xuecol.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2hum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 2hum.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 832 set thread context of 2164 832 2hum.exe 83 PID 832 set thread context of 1412 832 2hum.exe 84 PID 832 set thread context of 4192 832 2hum.exe 85 PID 832 set thread context of 364 832 2hum.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2280 4180 WerFault.exe 87 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4916 tasklist.exe 312 tasklist.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 qr5i4eI0.exe 5044 qr5i4eI0.exe 1412 2hum.exe 1412 2hum.exe 5044 qr5i4eI0.exe 5044 qr5i4eI0.exe 1412 2hum.exe 1412 2hum.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1664 4hum.exe 1664 4hum.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe 1392 xuecol.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4916 tasklist.exe Token: SeDebugPrivilege 1664 4hum.exe Token: SeDebugPrivilege 1664 4hum.exe Token: SeDebugPrivilege 312 tasklist.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 5044 qr5i4eI0.exe 832 2hum.exe 2164 2hum.exe 4192 2hum.exe 364 2hum.exe 1392 xuecol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 5044 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 81 PID 4940 wrote to memory of 5044 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 81 PID 4940 wrote to memory of 5044 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 81 PID 4940 wrote to memory of 832 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 82 PID 4940 wrote to memory of 832 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 82 PID 4940 wrote to memory of 832 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 82 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 2164 832 2hum.exe 83 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 1412 832 2hum.exe 84 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 4192 832 2hum.exe 85 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 832 wrote to memory of 364 832 2hum.exe 86 PID 4940 wrote to memory of 4180 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 87 PID 4940 wrote to memory of 4180 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 87 PID 4940 wrote to memory of 4180 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 87 PID 5044 wrote to memory of 1392 5044 qr5i4eI0.exe 89 PID 5044 wrote to memory of 1392 5044 qr5i4eI0.exe 89 PID 5044 wrote to memory of 1392 5044 qr5i4eI0.exe 89 PID 5044 wrote to memory of 1052 5044 qr5i4eI0.exe 90 PID 5044 wrote to memory of 1052 5044 qr5i4eI0.exe 90 PID 5044 wrote to memory of 1052 5044 qr5i4eI0.exe 90 PID 1052 wrote to memory of 4916 1052 cmd.exe 92 PID 1052 wrote to memory of 4916 1052 cmd.exe 92 PID 1052 wrote to memory of 4916 1052 cmd.exe 92 PID 1392 wrote to memory of 4916 1392 xuecol.exe 92 PID 1392 wrote to memory of 4916 1392 xuecol.exe 92 PID 1392 wrote to memory of 4916 1392 xuecol.exe 92 PID 1392 wrote to memory of 4916 1392 xuecol.exe 92 PID 4940 wrote to memory of 1664 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 94 PID 4940 wrote to memory of 1664 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 94 PID 4940 wrote to memory of 1664 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 94 PID 4940 wrote to memory of 1444 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 97 PID 4940 wrote to memory of 1444 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 97 PID 4940 wrote to memory of 1444 4940 a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe 97 PID 1444 wrote to memory of 312 1444 cmd.exe 100 PID 1444 wrote to memory of 312 1444 cmd.exe 100 PID 1444 wrote to memory of 312 1444 cmd.exe 100 PID 1392 wrote to memory of 312 1392 xuecol.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe"C:\Users\Admin\AppData\Local\Temp\a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\qr5i4eI0.exeC:\Users\Admin\qr5i4eI0.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\xuecol.exe"C:\Users\Admin\xuecol.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del qr5i4eI0.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
-
-
C:\Users\Admin\2hum.exeC:\Users\Admin\2hum.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\2hum.exe"C:\Users\Admin\2hum.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
C:\Users\Admin\2hum.exe"C:\Users\Admin\2hum.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Users\Admin\2hum.exe"C:\Users\Admin\2hum.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Users\Admin\2hum.exe"C:\Users\Admin\2hum.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:364
-
-
-
C:\Users\Admin\3hum.exeC:\Users\Admin\3hum.exe2⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 3723⤵
- Program crash
PID:2280
-
-
-
C:\Users\Admin\4hum.exeC:\Users\Admin\4hum.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c tasklist&&del a62d7efd18899d616763f72eae9460e61eaae54660eba6d642243989b21c8b82.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:312
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4180 -ip 41801⤵PID:4464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
96KB
MD590d23730203c3fa5dbcb8a068fc28f7c
SHA1d24dd53a400d27984aadc060a7a0ef084cb5a005
SHA2563084caf108ff772dc16ecc24eff4f8dc4b49eb2971b4754c2c38683c17597eb8
SHA51213992ab89bda13b478aceeddad66391e1fd514794d8112001e5f61a76f72efbbf74bbdf8a8b509175d2ae79765febc4d804012a0251d90a1444377b3464e4726
-
Filesize
101KB
MD51e8c6e21a447e947c7dcbeb9ccf79f81
SHA178998e36435c58e2be3bc3f737d8d0f402d5a576
SHA25640323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767
SHA51231bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55
-
Filesize
101KB
MD51e8c6e21a447e947c7dcbeb9ccf79f81
SHA178998e36435c58e2be3bc3f737d8d0f402d5a576
SHA25640323df252cef85e4dfcb3dd70880b9746d8fffe9599bbd13cf9b98f05f56767
SHA51231bbe15b5864411f0a2ec2d86dc61b3c2f00dd91927b4e17dd0a4d3d44851726dbfd173c5be1038fce581fd961d02245dff9e6b91621fc492c0215d1f310bd55
-
Filesize
212KB
MD5a755f176cd1cc2f7104ae0309bd35a41
SHA13bcece3625dc7fe38c551a6f25bd61e7c4cbc892
SHA256979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640
SHA512268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0
-
Filesize
212KB
MD5a755f176cd1cc2f7104ae0309bd35a41
SHA13bcece3625dc7fe38c551a6f25bd61e7c4cbc892
SHA256979d346d7dc8a199449901ab2d96712067bb45fb04fc99f101c4587f683bc640
SHA512268a063286c0392e72fdff1ed4356dfb395b3b2b1126cb8df8db73c39ddb470753a6dc4d4e3bc778c86c8acff886c595879589389b4b520cd22b3cdf9fc68ee0
-
Filesize
328KB
MD59aae23da87aeef9bb56c08f760442ab2
SHA1b1627a775b2f5d2a72742829326a66e684839268
SHA25677d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f
SHA51213026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73
-
Filesize
328KB
MD59aae23da87aeef9bb56c08f760442ab2
SHA1b1627a775b2f5d2a72742829326a66e684839268
SHA25677d0d041a643d03bec1ad79f1c7b244599cf653ecf0523061556f6f307c1910f
SHA51213026b26ecc870f9ea513b4129d2548007eb41f7b7af399f50c3ce96d9e6371768fddac7338cbe7209c32f142f4c599eb2ed8409f24ec3b56e76aa5ef241cf73
-
Filesize
328KB
MD5b5cfe00dc96de5f06acb051866a07689
SHA1f7747b524d9454b4263d0e493a0bc4d94987b3a3
SHA25670cd4e6c38e1e0253865c022c3d83016f5e3b5b355a9204ff57fb5bf6c27bcf2
SHA5128161365e74550889e4e01b0950a61975bbace15ee2becd58067105256848144b18bd9287e18b95f3ed69a765fbaa1cadd4b3479bdb29eb4610bac2d970a4141d
-
Filesize
328KB
MD5b5cfe00dc96de5f06acb051866a07689
SHA1f7747b524d9454b4263d0e493a0bc4d94987b3a3
SHA25670cd4e6c38e1e0253865c022c3d83016f5e3b5b355a9204ff57fb5bf6c27bcf2
SHA5128161365e74550889e4e01b0950a61975bbace15ee2becd58067105256848144b18bd9287e18b95f3ed69a765fbaa1cadd4b3479bdb29eb4610bac2d970a4141d