c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223

Analysis

max time kernel
181s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
Size

371KB
MD5

8db36a57f62accfce13e89df2f38252d
SHA1

bc955d81212c0cc185406c5591385f9acfced33e
SHA256

c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223
SHA512

f449e45bf98795c59eca2b0a0da4d9265af65c1f353eb4d44fbadbc804a2c0a4a9910b65e396c300e92a191e992c116c34e1347f8d48d65c8b2136ae4ee4b589
SSDEEP

6144:C6T7ykP3BcAwkbnfrINC1BVtlEsH4SfkuLFNXr1BOoKRIDoACs/UuKiQrXInw14p:3ykc5kLd1BflvH4StNbPKRkYMSIWYh

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sorub.exe

Executes dropped EXE 5 IoCs

pid	Process
224	lcwpoOpiE6.exe
4632	sorub.exe
4108	nzQlrRzKCSpT.exe
1360	nzr.exe
1736	nzs.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/652-150-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/652-152-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/652-153-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/652-159-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	lcwpoOpiE6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	nzQlrRzKCSpT.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /u"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /L"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /E"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /A"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /Z"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /U"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /N"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /l"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /O"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /G"	sorub.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /o"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /j"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /W"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /w"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /m"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /q"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /v"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /f"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /C"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /c"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /F"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /r"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /y"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /Y"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /R"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /B"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /M"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /J"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /t"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /p"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /e"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /P"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /n"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /H"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /s"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /h"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /a"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /V"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /S"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /X"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /T"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /b"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /Q"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /I"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /d"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /x"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /z"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /i"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /K"	sorub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sorub = "C:\\Users\\Admin\\sorub.exe /k"	sorub.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 652	4108	nzQlrRzKCSpT.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1604	1360	WerFault.exe	92

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1984	tasklist.exe
1388	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	lcwpoOpiE6.exe
224	lcwpoOpiE6.exe
4632	sorub.exe
4632	sorub.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	tasklist.exe
Token: SeDebugPrivilege	1388	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
224	lcwpoOpiE6.exe
4632	sorub.exe
4108	nzQlrRzKCSpT.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 224	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	83
PID 4760 wrote to memory of 224	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	83
PID 4760 wrote to memory of 224	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	83
PID 224 wrote to memory of 4632	224	lcwpoOpiE6.exe	84
PID 224 wrote to memory of 4632	224	lcwpoOpiE6.exe	84
PID 224 wrote to memory of 4632	224	lcwpoOpiE6.exe	84
PID 224 wrote to memory of 3880	224	lcwpoOpiE6.exe	85
PID 224 wrote to memory of 3880	224	lcwpoOpiE6.exe	85
PID 224 wrote to memory of 3880	224	lcwpoOpiE6.exe	85
PID 4760 wrote to memory of 4108	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	87
PID 4760 wrote to memory of 4108	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	87
PID 4760 wrote to memory of 4108	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	87
PID 3880 wrote to memory of 1984	3880	cmd.exe	88
PID 3880 wrote to memory of 1984	3880	cmd.exe	88
PID 3880 wrote to memory of 1984	3880	cmd.exe	88
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4108 wrote to memory of 652	4108	nzQlrRzKCSpT.exe	89
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4108 wrote to memory of 2784	4108	nzQlrRzKCSpT.exe	90
PID 4108 wrote to memory of 2784	4108	nzQlrRzKCSpT.exe	90
PID 4108 wrote to memory of 2784	4108	nzQlrRzKCSpT.exe	90
PID 4760 wrote to memory of 1360	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	92
PID 4760 wrote to memory of 1360	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	92
PID 4760 wrote to memory of 1360	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	92
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 2784 wrote to memory of 1388	2784	cmd.exe	93
PID 2784 wrote to memory of 1388	2784	cmd.exe	93
PID 2784 wrote to memory of 1388	2784	cmd.exe	93
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1984	4632	sorub.exe	88
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4632 wrote to memory of 1388	4632	sorub.exe	93
PID 4760 wrote to memory of 1736	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	102
PID 4760 wrote to memory of 1736	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	102
PID 4760 wrote to memory of 1736	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	102
PID 4760 wrote to memory of 616	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	105
PID 4760 wrote to memory of 616	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	105
PID 4760 wrote to memory of 616	4760	c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe	105

C:\Users\Admin\AppData\Local\Temp\c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe
"C:\Users\Admin\AppData\Local\Temp\c7ac918e6a16a319cd1ec20229d3be32ec8641cdd243a5b0d6e1a74a37f45223.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\lcwpoOpiE6.exe
  "C:\Users\Admin\lcwpoOpiE6.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\sorub.exe
    "C:\Users\Admin\sorub.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del lcwpoOpiE6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- C:\Users\Admin\nzQlrRzKCSpT.exe
  "C:\Users\Admin\nzQlrRzKCSpT.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del nzQlrRzKCSpT.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1388
- C:\Users\Admin\nzr.exe
  "C:\Users\Admin\nzr.exe"
  2⤵
  - Executes dropped EXE
  PID:1360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 280
    3⤵
    - Program crash
    PID:1604
- C:\Users\Admin\nzs.exe
  "C:\Users\Admin\nzs.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1360 -ip 1360
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
0f3460ed7cdbf2ac9711fcc6ef6d886f

SHA1
5dbc2d6efb192ddc6bdbe96237bb93c9acb30856

SHA256
ff0b3f86ba38a9e80abe477fdd87c78cb34545b921b3d45aaef16f8738fed43e

SHA512
cc25c2532b57b46d579adb0255b5bd3e2cd96758782c0336faa0f0ee03b21aa67286784304f54bc3669af8e53d20f96ac141b6da772de46af0ee34d2cfa0f485

Download Submit
C:\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
C:\Users\Admin\lcwpoOpiE6.exe

Filesize
420KB

MD5
efbfb6be20f3801ca005d1040e2ac835

SHA1
bfb4b87d012fcebfd4da30f5bbe89d57390a0fac

SHA256
83320165f8ecce6c2432eff5b82cee0e94fb20501435ad46cfcf841f8c482589

SHA512
47f680624698e0fc9705159401b0eb5cb5798fb241b0ebfd31eaee140c043591167fbc664a3c7f8d943812d4efec7dbf248d0d9a3b0e4c5950cc4524230e92ba

Download Submit
C:\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
C:\Users\Admin\nzQlrRzKCSpT.exe

Filesize
120KB

MD5
fbedb1325c04ba0d321725b3fbca79e5

SHA1
c1cbaf5ce790cca2eac97ea5ef3e9051291841e0

SHA256
8fb95e30c957e92bd3ea42fc07c866fb6d71d3b9320f8fec19391bea5f1ef284

SHA512
79f92ce50425aa3633dbe8a8e5e67523cf357fb3dd742cf80b51e573ee85e0198d66b459cc940c5e0d2aa9cf7bf84e4705825ba6b58de05a9e5d4457bc6cc601

Download Submit
C:\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
C:\Users\Admin\nzr.exe

Filesize
126KB

MD5
92911c5d331554c274d362f02e688272

SHA1
58cc94c667d722a7c0598f7af7de8a42184d72a9

SHA256
f5b3d5f68d76feb12d2b22aa0e8ccba9f755a4018a2d3447655f6fef2744d025

SHA512
d2440f90b04831c78fa3844293a84955f04be5c2d7cbe4c82165a28c8c31448c9cdbf13f693f9d392f0505aff6d77528a324ac1edbde7b4510ea25cb78305a66

Download Submit
C:\Users\Admin\nzs.exe

Filesize
78KB

MD5
9ab65728d3f155c0c8c69bf4cf4260ed

SHA1
bad7747e623049b35cf33bb0ad75ae129f1487dc

SHA256
97c5c1826d3d9acceedaec99c550957b413355f79a4d6ab6f544acb918ccd54e

SHA512
a9c4819f60d5b9ab30911c0f1939fab273c83b558055f3f47805e347373a3dea6fdda27631043c38101eeab392e08e91a05a28896606332662e6442f71621f3e

Download Submit
C:\Users\Admin\nzs.exe

Filesize
78KB

MD5
9ab65728d3f155c0c8c69bf4cf4260ed

SHA1
bad7747e623049b35cf33bb0ad75ae129f1487dc

SHA256
97c5c1826d3d9acceedaec99c550957b413355f79a4d6ab6f544acb918ccd54e

SHA512
a9c4819f60d5b9ab30911c0f1939fab273c83b558055f3f47805e347373a3dea6fdda27631043c38101eeab392e08e91a05a28896606332662e6442f71621f3e

Download Submit
C:\Users\Admin\sorub.exe

Filesize
420KB

MD5
06613d386940262691c5edda1189da34

SHA1
fb2f0ca6de05051b25123e0975da980a8fdc4f71

SHA256
8da61f760a9bd19ea039f19ccd9d3d29ed8dc6441e114c58ac3edbcebb1f2629

SHA512
dde3432b4bbed408c2d9b614c9a34793f4eae24e27231b97df1b28a548704f0d6c38495037621dce0959fbc75b0e2cf60070cbbe1e90b31877fd8d9896667f19

Download Submit
C:\Users\Admin\sorub.exe

Filesize
420KB

MD5
06613d386940262691c5edda1189da34

SHA1
fb2f0ca6de05051b25123e0975da980a8fdc4f71

SHA256
8da61f760a9bd19ea039f19ccd9d3d29ed8dc6441e114c58ac3edbcebb1f2629

SHA512
dde3432b4bbed408c2d9b614c9a34793f4eae24e27231b97df1b28a548704f0d6c38495037621dce0959fbc75b0e2cf60070cbbe1e90b31877fd8d9896667f19

Download Submit
memory/652-150-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/652-152-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/652-153-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/652-159-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1736-162-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1736-164-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download