927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 11:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Size

9.4MB
MD5

b292eec1e13e50eba89f12b55f93f634
SHA1

8f0750d7a689234c015a45dc481491b4e4b5697a
SHA256

927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239
SHA512

39b1d3b22ea6a1b6ea4c0d6aca1af5f03f34eb82fc9487b0d92310b3b8330693228608aff5228c0842e6664bff595e11390d9a8a52b944526cfc14935391370b
SSDEEP

196608:47effIPEsy58doQaTxLhQyZbIly38doQavqU/yE/QTly38doQa6wk89+hXTI5Y8l:47effIPEsy58doQaTxLhQyZbIly38doV

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

ACProtect 1.3x - 1.4x DLL software 10 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0001000000022e1f-138.dat	acprotect
behavioral2/memory/4204-140-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral2/files/0x0001000000022e1e-145.dat	acprotect
behavioral2/files/0x0001000000022e1f-146.dat	acprotect
behavioral2/files/0x0001000000022e1f-147.dat	acprotect
behavioral2/memory/2608-149-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral2/files/0x0001000000022e1e-159.dat	acprotect
behavioral2/files/0x0001000000022e1f-160.dat	acprotect
behavioral2/files/0x0001000000022e1f-161.dat	acprotect
behavioral2/memory/4932-162-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4204-132-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1008-134-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0001000000022e1f-138.dat	upx
behavioral2/memory/4204-139-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4204-140-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral2/memory/2608-141-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/216-142-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0001000000022e1c-143.dat	upx
behavioral2/files/0x0001000000022e1d-144.dat	upx
behavioral2/files/0x0001000000022e1e-145.dat	upx
behavioral2/files/0x0001000000022e1f-146.dat	upx
behavioral2/files/0x0001000000022e1f-147.dat	upx
behavioral2/memory/2608-148-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2608-149-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral2/memory/1496-152-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4932-153-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1008-158-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0001000000022e1e-159.dat	upx
behavioral2/files/0x0001000000022e1f-160.dat	upx
behavioral2/files/0x0001000000022e1f-161.dat	upx
behavioral2/memory/4932-162-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral2/memory/216-163-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1496-164-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4932-165-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4932	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\J:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\M:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\S:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\G:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\Q:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\P:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\X:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\X:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\H:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\O:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\P:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\G:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\I:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\U:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\R:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\G:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\Q:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\G:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\L:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\U:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\P:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\I:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\N:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\N:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\V:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\H:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\K:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\N:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\T:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\W:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\X:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\I:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\J:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\U:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\J:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\I:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\K:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\X:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\L:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\V:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\T:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\O:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\S:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\F:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\U:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\L:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\E:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\Q:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\K:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\O:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\V:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\K:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\E:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\F:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\V:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\E:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\H:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\K:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\L:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\M:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\Q:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\E:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened (read-only)	\??\O:	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftpdll.dll	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened for modification	C:\Windows\SysWOW64\ftpdll.dll	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
File opened for modification	C:\Windows\SysWOW64\ftpdll.dll	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
2608	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
4932	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1008	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	83
PID 4204 wrote to memory of 1008	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	83
PID 4204 wrote to memory of 1008	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	83
PID 4204 wrote to memory of 1972	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	85
PID 4204 wrote to memory of 1972	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	85
PID 4204 wrote to memory of 1972	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	85
PID 4204 wrote to memory of 2608	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	86
PID 4204 wrote to memory of 2608	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	86
PID 4204 wrote to memory of 2608	4204	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	86
PID 1008 wrote to memory of 216	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	88
PID 1008 wrote to memory of 216	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	88
PID 1008 wrote to memory of 216	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	88
PID 1008 wrote to memory of 1496	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	90
PID 1008 wrote to memory of 1496	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	90
PID 1008 wrote to memory of 1496	1008	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	90
PID 216 wrote to memory of 4932	216	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	92
PID 216 wrote to memory of 4932	216	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	92
PID 216 wrote to memory of 4932	216	927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe	92

C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
"C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
  C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
    C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
    3⤵
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
      C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:4932
- - C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
    C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
    3⤵
    - Enumerates connected drives
    PID:1496
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
  C:\Users\Admin\AppData\Local\Temp\927a4d055e9ac4a0a257eceb68af572bf440308b1a7363793e43f53ffc28a239.exe
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
5e9fc5735c6f6d59c13551ef83d7e3b4

SHA1
ff08507b6afa438652f8ef436ca9827584b979a8

SHA256
ac7469bd9cbe457f094e12097223aa264ce4343dad55684065f6f964fd4d15cc

SHA512
5a3fa6ed1c7a1fef5bcb28d8f3d292d71d24b8a26058cc4308e9d35d31d18c72dfb194efe91312a296ae3bcde49bda08ba2abd12f6f069d27f4cd66714f0fa37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
280B

MD5
b93d0e112dcf2d635de7e30dd2ce477c

SHA1
d3277330cec1910dd75f64173f57862566869cbb

SHA256
e53cbd98b1ae79b1b5116772ee84eea98610c5e2fe959d8ce12437d7ffde7c47

SHA512
7165c6f58853c34fdf546220c89269e1d6ee45262150639337193f3ed7b61aa7bc1d84373c90de526f11bf27a6317e9d7228c923795604a8d3cd58165b55e2e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
95b5ff64261288168b33d559a17d7a28

SHA1
6bcd154dc64f1cb2ee5ba21604826ccbed75fbc6

SHA256
af14377383409f9a0cf84f2223c89cd37aa2ff46ad5ee52204250ab3cd999819

SHA512
3f6cb9dab9db9dff6dfba2490342935c02e6470da213164ad8160467157c611f857ddff915f213f0e3185b882c872fac9414b132d5cb286bfa81cd824ff72f4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
e4b267d9a1cffe82c5339968fc4bd607

SHA1
b887f5c8d7076ea1c86ed23b5f479a35dadc6509

SHA256
08a975da1fea9d13dde582d286dba9f375fa10c3650ab32040c73c74c870942f

SHA512
f6fed31e3c33fdb5f672a99ecfeacd75033fe26e039b9eebde9cd1039c9e9430aba191a2451e863a6f168c82b0158deca0cb186b89b12d52d3bac115c81672a5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
9.4MB

MD5
753aab577eeb769eac8b82396956500b

SHA1
81e24923808c1abc5ed32f8915476b0a90971e16

SHA256
82137eae3f5f28380be90a98bb0692ab2e9da2bb84ff6843ddd7f1830d5ea1a9

SHA512
0902539d4c58bea8b675652d7b7b7486675ac324c00fbd557bc67a033c471b3c4cf25edef9537a853f0c78f8a3fde37f449e92377b2d25e4fcff138a621c7366

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
9.4MB

MD5
46e5ab2d2e4d66fcd7458255841d3e9b

SHA1
9053d537cb4163a26de273ac6f9a60732c75bb07

SHA256
c211e5bf33b5b5c357a3e4c735e5211008d21779e0f074ccc50db0c34e209367

SHA512
9e234b496168513c339825d3728cc89a79561eb02e18534e80cf93f9019a6ae131ec3c7671906108a520667b83713958a8a7129ba69227dde28d56f302c1d649

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
memory/216-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/216-163-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1008-158-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1008-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1496-164-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1496-152-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2608-148-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2608-149-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/2608-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4204-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4204-140-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/4204-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4932-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4932-162-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/4932-165-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download