c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223

Analysis

max time kernel
206s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
Size

371KB
MD5

8db36a57f62accfce13e89df2f38252d
SHA1

bc955d81212c0cc185406c5591385f9acfced33e
SHA256

c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223
SHA512

f449e45bf98795c59eca2b0a0da4d9265af65c1f353eb4d44fbadbc804a2c0a4a9910b65e396c300e92a191e992c116c34e1347f8d48d65c8b2136ae4ee4b589
SSDEEP

6144:C6T7ykP3BcAwkbnfrINC1BVtlEsH4SfkuLFNXr1BOoKRIDoACs/UuKiQrXInw14p:3ykc5kLd1BflvH4StNbPKRkYMSIWYh

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ljtej.exe

Executes dropped EXE 4 IoCs

pid	Process
1304	lcwpoOpiE6.exe
1412	ljtej.exe
692	nzQlrRzKCSpT.exe
924	nzr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/876-80-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/876-82-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/876-83-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/876-87-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/876-88-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/876-95-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
1304	lcwpoOpiE6.exe
1304	lcwpoOpiE6.exe
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /s"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /M"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /l"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /u"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /T"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /b"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /z"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /d"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /E"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /C"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /a"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /w"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /Z"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /r"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /D"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /y"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /t"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /B"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /W"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /n"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /k"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /X"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /S"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /m"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /U"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /N"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /I"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /i"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /F"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /c"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /j"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /o"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /A"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /Q"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /f"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /v"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /O"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /g"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /e"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /q"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /P"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /J"	ljtej.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /Y"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /V"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /h"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /K"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /L"	ljtej.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ljtej = "C:\\Users\\Admin\\ljtej.exe /p"	ljtej.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	nzr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 876	692	nzQlrRzKCSpT.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1352	tasklist.exe
1708	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1304	lcwpoOpiE6.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe
876	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	tasklist.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeShutdownPrivilege	924	nzr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1304	lcwpoOpiE6.exe
1412	ljtej.exe
692	nzQlrRzKCSpT.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1304	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	28
PID 1472 wrote to memory of 1304	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	28
PID 1472 wrote to memory of 1304	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	28
PID 1472 wrote to memory of 1304	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	28
PID 1304 wrote to memory of 1412	1304	lcwpoOpiE6.exe	29
PID 1304 wrote to memory of 1412	1304	lcwpoOpiE6.exe	29
PID 1304 wrote to memory of 1412	1304	lcwpoOpiE6.exe	29
PID 1304 wrote to memory of 1412	1304	lcwpoOpiE6.exe	29
PID 1304 wrote to memory of 1112	1304	lcwpoOpiE6.exe	30
PID 1304 wrote to memory of 1112	1304	lcwpoOpiE6.exe	30
PID 1304 wrote to memory of 1112	1304	lcwpoOpiE6.exe	30
PID 1304 wrote to memory of 1112	1304	lcwpoOpiE6.exe	30
PID 1472 wrote to memory of 692	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	32
PID 1472 wrote to memory of 692	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	32
PID 1472 wrote to memory of 692	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	32
PID 1472 wrote to memory of 692	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	32
PID 1112 wrote to memory of 1352	1112	cmd.exe	33
PID 1112 wrote to memory of 1352	1112	cmd.exe	33
PID 1112 wrote to memory of 1352	1112	cmd.exe	33
PID 1112 wrote to memory of 1352	1112	cmd.exe	33
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 876	692	nzQlrRzKCSpT.exe	34
PID 692 wrote to memory of 560	692	nzQlrRzKCSpT.exe	35
PID 692 wrote to memory of 560	692	nzQlrRzKCSpT.exe	35
PID 692 wrote to memory of 560	692	nzQlrRzKCSpT.exe	35
PID 692 wrote to memory of 560	692	nzQlrRzKCSpT.exe	35
PID 1472 wrote to memory of 924	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	37
PID 1472 wrote to memory of 924	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	37
PID 1472 wrote to memory of 924	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	37
PID 1472 wrote to memory of 924	1472	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	37
PID 560 wrote to memory of 1708	560	cmd.exe	38
PID 560 wrote to memory of 1708	560	cmd.exe	38
PID 560 wrote to memory of 1708	560	cmd.exe	38
PID 560 wrote to memory of 1708	560	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
"C:\Users\Admin\AppData\Local\Temp\c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\lcwpoOpiE6.exe
  "C:\Users\Admin\lcwpoOpiE6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\ljtej.exe
    "C:\Users\Admin\ljtej.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del lcwpoOpiE6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- C:\Users\Admin\nzQlrRzKCSpT.exe
  "C:\Users\Admin\nzQlrRzKCSpT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del nzQlrRzKCSpT.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- C:\Users\Admin\nzr.exe
  "C:\Users\Admin\nzr.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
C:\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
C:\Users\Admin\ljtej.exe

Filesize
420KB

MD5
2418fbe10f6630fdc00d73155c1c908d

SHA1
0ca42479d4ea58caa6e3c7fc1158c2d26727cac9

SHA256
394f38c6788ff838e3fab1e66397d05400d9c7690b3d8bda007c43635f7a70ba

SHA512
4dbf0f7177e31625c7cdd6b5a3136da458d83d73fcfed1b1615c8a6cfc2b44b4ca9268cbb908ae80dc72eb989c411ad6dc0f8ed123b2fb38604a15952e5da5e3

Download Submit
C:\Users\Admin\ljtej.exe

Filesize
420KB

MD5
2418fbe10f6630fdc00d73155c1c908d

SHA1
0ca42479d4ea58caa6e3c7fc1158c2d26727cac9

SHA256
394f38c6788ff838e3fab1e66397d05400d9c7690b3d8bda007c43635f7a70ba

SHA512
4dbf0f7177e31625c7cdd6b5a3136da458d83d73fcfed1b1615c8a6cfc2b44b4ca9268cbb908ae80dc72eb989c411ad6dc0f8ed123b2fb38604a15952e5da5e3

Download Submit
C:\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
C:\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
C:\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
C:\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
\Users\Admin\ljtej.exe

Filesize
420KB

MD5
2418fbe10f6630fdc00d73155c1c908d

SHA1
0ca42479d4ea58caa6e3c7fc1158c2d26727cac9

SHA256
394f38c6788ff838e3fab1e66397d05400d9c7690b3d8bda007c43635f7a70ba

SHA512
4dbf0f7177e31625c7cdd6b5a3136da458d83d73fcfed1b1615c8a6cfc2b44b4ca9268cbb908ae80dc72eb989c411ad6dc0f8ed123b2fb38604a15952e5da5e3

Download Submit
\Users\Admin\ljtej.exe

Filesize
420KB

MD5
2418fbe10f6630fdc00d73155c1c908d

SHA1
0ca42479d4ea58caa6e3c7fc1158c2d26727cac9

SHA256
394f38c6788ff838e3fab1e66397d05400d9c7690b3d8bda007c43635f7a70ba

SHA512
4dbf0f7177e31625c7cdd6b5a3136da458d83d73fcfed1b1615c8a6cfc2b44b4ca9268cbb908ae80dc72eb989c411ad6dc0f8ed123b2fb38604a15952e5da5e3

Download Submit
\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
memory/876-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-95-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-82-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-83-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-80-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/876-79-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/924-97-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/924-98-0x0000000001D70000-0x0000000001E70000-memory.dmp

Filesize
1024KB

Download
memory/1472-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download