9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Size

1.2MB
MD5

481e68234d23e56674c79dc71a92a5b7
SHA1

5e690de1e70ba4b1c3172f1681811e6b63a713d4
SHA256

9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f
SHA512

93c895a770dbd35c4a9b4ffb6c39b710312a05aabd9daf100e783bab67211f34e38f06f817c22ad9025d43bff530e576ccbc045022bbb2667cfa8c6f394892e8
SSDEEP

24576:lEb5ocUY3zJo3Nc6Gcjf8xu22hkoJ/jp6ZRJMh+gC6CRRkP:lfwV2NYtxu2toGVkP

Score

9^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000133a7-65.dat	acprotect
behavioral1/files/0x00080000000133a7-64.dat	acprotect
behavioral1/files/0x00070000000133ab-67.dat	acprotect
behavioral1/files/0x0007000000013445-70.dat	acprotect
behavioral1/files/0x0007000000013445-69.dat	acprotect
behavioral1/files/0x00070000000133ab-68.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1900	services.exe
616	services.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RpcX86\ImagePath = "C:\\Windows\\SysWOW64\\usmt\\services.exe -k netsvcs"	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000133ab-67.dat	upx
behavioral1/files/0x0007000000013445-70.dat	upx
behavioral1/files/0x0007000000013445-69.dat	upx
behavioral1/files/0x00070000000133ab-68.dat	upx
behavioral1/memory/616-71-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/616-72-0x0000000003090000-0x00000000030B9000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
616	services.exe

Loads dropped DLL 7 IoCs

pid	Process
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
616	services.exe
616	services.exe
616	services.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\usmt\services.exe	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
File created	C:\Windows\SysWOW64\rpcx86.dll	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
File created	C:\Windows\SysWOW64\libeay32.dll	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
File created	C:\Windows\SysWOW64\ssleay32.dll	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel0 = b1122c913ccb12c2b6b23a989cc962961555507825f695241f4c02b38ee46744e736b573acb6a6b6d46281fa9f319c391f4daae8231f0c7861689d48e20bbdbf363f8973dd439489ebdd7fc3e32a43d73c9226111ae6825826fc0c954dda67c4653d54fc30d242701e7045ecc671d719e8a726a729ac299b32aa2dac31b030b2	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel15 = 631a5307f652b11dfe3be4b262722bd76cc21b286280d0703515b8545665692c43b9274e932e098292eaeb6ab48e98f76ca3d55b37f73cffe6391162693684fcbb8afc89a5af6c4171b6cef9df19322acd69175485d5f04498bc0427abd31584b6987c6c8703a1918dddd4a49ea1e6ddd3e7aba9aceeedb1e1ede4b4aeb1f6ed	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E328247-D3A5-4187-97BC-A73B73FBF79C}\InprocServer32\ThreadingModel1 = 7593bfc5c146203923578195b2c2b8ec1d714e5a807b9b92b4f06af254f5640de3194df447d58e67d722f8c3ba44627d4d4874795bac95aec2ddfc4027735e74bbd8f00af110216d596bb79cead41d334f3a4e9882c9b2fb15021d3578657a91b2f50e291458435d75bca4bcd5f210233d879fbaa6e21026373f5f8896b1d6cc	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel12 = 7227d6da0d7b5ca26192be88b5badfabb357d0a685a684d1813f5575acd9b819a103da5284a9a515436ba8d3cb3f6fa0359f4e75be603f653378f5b5581be40d2fbc2d53472ab3c8b07b8ce6d480392dc8815021db4587347798495f96d2438f63179447c24a8b0bdffa227503b8a10e3d941242aac8741b74c2db8abe09ea6b	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel12 = 7227d6da0d7b5ca26192be88b5badfabb357d0a685a684d1813f5575acd9b819a103da5284a9a515436ba8d3cb3f6fa0359f4e75be603f653378f5b5581be40d2fbc2d53472ab3c8b07b8ce6d480392dc8815021db4587347798495f96d2438f63179447c24a8b0bdffa227503b8a10e3d941242aac8741b74c2db8abe09ea6b	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel13 = 02af666dbeb38df1cd7a27e58b18cf51b2cd9b80daebc3457c689cc6a29e977b8c0f514ef93dd6e8d0b150e7a86f785ba398054e165926a65b66dce3eab8c9bddc3a7637d799f4c18a1d7fca5c411b13e22d46368105b15d27da3867f2b9707663ff1bdd65a6a8407012230c4a1b509f404ad1bdd787892849bfa6865923fcdf	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel15 = 631a5307f652b11dfe3be4b262722bd76cc21b286280d0703515b8545665692c43b9274e932e098292eaeb6ab48e98f76ca3d55b37f73cffe6391162693684fcbb8afc89a5af6c4171b6cef9df19322acd69175485d5f04498bc0427abd31584b6987c6c8703a1918dddd4a49ea1e6ddd3e7aba9aceeedb1e1ede4b4aeb1f6ed	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel0 = b1122c913ccb12c2b6b23a989cc962961555507825f695241f4c02b38ee46744e736b573acb6a6b6d46281fa9f319c391f4daae8231f0c7861689d48e20bbdbf363f8973dd439489ebdd7fc3e32a43d73c9226111ae6825826fc0c954dda67c4653d54fc30d242701e7045ecc671d719e8a726a729ac299b32aa2dac31b030b2	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel13 = 02af666dbeb38df1cd7a27e58b18cf51b2cd9b80daebc3457c689cc6a29e977b8c0f514ef93dd6e8d0b150e7a86f785ba398054e165926a65b66dce3eab8c9bddc3a7637d799f4c18a1d7fca5c411b13e22d46368105b15d27da3867f2b9707663ff1bdd65a6a8407012230c4a1b509f404ad1bdd787892849bfa6865923fcdf	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel0 = b1122c913ccb12c2b6b23a989cc962961555507825f695241f4c02b38ee46744e736b573acb6a6b6d46281fa9f319c391f4daae8231f0c7861689d48e20bbdbf363f8973dd439489ebdd7fc3e32a43d73c9226111ae6825826fc0c954dda67c4653d54fc30d242701e7045ecc671d719e8a726a729ac299b32aa2dac31b030b2	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E328247-D3A5-4187-97BC-A73B73FBF79C}\InprocServer32	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel14 = d67c51a2fbec6a35dc48d25cb76bf4b511db9059bf35f5dc9c52fd30a5420b9253558af238d8a67560313611ee8e245eed47b50e5da682bce5c91efabfb090c1c0c836ca8d7dc05669923e77266983e7275f57f082ef31fea14c79d9018d8aa8eaadf3233bfab8b58e89763a7168595e5123473d41393a2525bb397f3dd753e9	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel12 = 7227d6da0d7b5ca26192be88b5badfabb357d0a685a684d1813f5575acd9b819a103da5284a9a515436ba8d3cb3f6fa0359f4e75be603f653378f5b5581be40d2fbc2d53472ab3c8b07b8ce6d480392dc8815021db4587347798495f96d2438f63179447c24a8b0bdffa227503b8a10e3d941242aac8741b74c2db8abe09ea6b	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel15 = 631a5307f652b11dfe3be4b262722bd76cc21b286280d0703515b8545665692c43b9274e932e098292eaeb6ab48e98f76ca3d55b37f73cffe6391162693684fcbb8afc89a5af6c4171b6cef9df19322acd69175485d5f04498bc0427abd31584b6987c6c8703a1918dddd4a49ea1e6ddd3e7aba9aceeedb1e1ede4b4aeb1f6ed	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel14 = d67c51a2fbec6a35dc48d25cb76bf4b511db9059bf35f5dc9c52fd30a5420b9253558af238d8a67560313611ee8e245eed47b50e5da682bce5c91efabfb090c1c0c836ca8d7dc05669923e77266983e7275f57f082ef31fea14c79d9018d8aa8eaadf3233bfab8b58e89763a7168595e5123473d41393a2525bb397f3dd753e9	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel14 = d67c51a2fbec6a35dc48d25cb76bf4b511db9059bf35f5dc9c52fd30a5420b9253558af238d8a67560313611ee8e245eed47b50e5da682bce5c91efabfb090c1c0c836ca8d7dc05669923e77266983e7275f57f082ef31fea14c79d9018d8aa8eaadf3233bfab8b58e89763a7168595e5123473d41393a2525bb397f3dd753e9	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel13 = 02af666dbeb38df1cd7a27e58b18cf51b2cd9b80daebc3457c689cc6a29e977b8c0f514ef93dd6e8d0b150e7a86f785ba398054e165926a65b66dce3eab8c9bddc3a7637d799f4c18a1d7fca5c411b13e22d46368105b15d27da3867f2b9707663ff1bdd65a6a8407012230c4a1b509f404ad1bdd787892849bfa6865923fcdf	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel11 = 678333c92f261838597a9eb6e2012143660674c9ec08264e6c8ba9d1eb183851727c59d550bacd0491abb70b7c61d820e5806939a88d274dc82b98a288d5027878bbc2cbee7115107599792417bf32ce9afdaa840c2ba35f40b47f6f0f5212d07c37c5341d87f7d15f0de9d17f9d9fc6578584b36305bfad8bb67938943e96c6	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel12 = 7227d6da0d7b5ca26192be88b5badfabb357d0a685a684d1813f5575acd9b819a103da5284a9a515436ba8d3cb3f6fa0359f4e75be603f653378f5b5581be40d2fbc2d53472ab3c8b07b8ce6d480392dc8815021db4587347798495f96d2438f63179447c24a8b0bdffa227503b8a10e3d941242aac8741b74c2db8abe09ea6b	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel15 = 631a5307f652b11dfe3be4b262722bd76cc21b286280d0703515b8545665692c43b9274e932e098292eaeb6ab48e98f76ca3d55b37f73cffe6391162693684fcbb8afc89a5af6c4171b6cef9df19322acd69175485d5f04498bc0427abd31584b6987c6c8703a1918dddd4a49ea1e6ddd3e7aba9aceeedb1e1ede4b4aeb1f6ed	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel14 = d67c51a2fbec6a35dc48d25cb76bf4b511db9059bf35f5dc9c52fd30a5420b9253558af238d8a67560313611ee8e245eed47b50e5da682bce5c91efabfb090c1c0c836ca8d7dc05669923e77266983e7275f57f082ef31fea14c79d9018d8aa8eaadf3233bfab8b58e89763a7168595e5123473d41393a2525bb397f3dd753e9	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel13 = 02af666dbeb38df1cd7a27e58b18cf51b2cd9b80daebc3457c689cc6a29e977b8c0f514ef93dd6e8d0b150e7a86f785ba398054e165926a65b66dce3eab8c9bddc3a7637d799f4c18a1d7fca5c411b13e22d46368105b15d27da3867f2b9707663ff1bdd65a6a8407012230c4a1b509f404ad1bdd787892849bfa6865923fcdf	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel11 = 678333c92f261838597a9eb6e2012143660674c9ec08264e6c8ba9d1eb183851727c59d550bacd0491abb70b7c61d820e5806939a88d274dc82b98a288d5027878bbc2cbee7115107599792417bf32ce9afdaa840c2ba35f40b47f6f0f5212d07c37c5341d87f7d15f0de9d17f9d9fc6578584b36305bfad8bb67938943e96c6	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel0 = 189e5fc6b01b20691fcae096eda4d9f4cdd2dc691a3e20dc256b4c0ff53864ef2baa83e82ddb9128d4a060e03396e1ed4093507564bd8f624cbe1cce7ad046c36ca490e3585874d9dcf9e8b419555d78180e159477350a0cb02006efd8c4a88381624c342109efdac28a94fc0f792b4cc6d5e5c21be8bd1447ed0e91bf5ef0e2	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E328247-D3A5-4187-97BC-A73B73FBF79C}	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel0 = 189e5fc6b01b20691fcae096eda4d9f4cdd2dc691a3e20dc256b4c0ff53864ef2baa83e82ddb9128d4a060e03396e1ed4093507564bd8f624cbe1cce7ad046c36ca490e3585874d9dcf9e8b419555d78180e159477350a0cb02006efd8c4a88381624c342109efdac28a94fc0f792b4cc6d5e5c21be8bd1447ed0e91bf5ef0e2	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel14 = d67c51a2fbec6a35dc48d25cb76bf4b511db9059bf35f5dc9c52fd30a5420b9253558af238d8a67560313611ee8e245eed47b50e5da682bce5c91efabfb090c1c0c836ca8d7dc05669923e77266983e7275f57f082ef31fea14c79d9018d8aa8eaadf3233bfab8b58e89763a7168595e5123473d41393a2525bb397f3dd753e9	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel0 = 189e5fc6b01b20691fcae096eda4d9f4cdd2dc691a3e20dc256b4c0ff53864ef2baa83e82ddb9128d4a060e03396e1ed4093507564bd8f624cbe1cce7ad046c36ca490e3585874d9dcf9e8b419555d78180e159477350a0cb02006efd8c4a88381624c342109efdac28a94fc0f792b4cc6d5e5c21be8bd1447ed0e91bf5ef0e2	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel13 = 02af666dbeb38df1cd7a27e58b18cf51b2cd9b80daebc3457c689cc6a29e977b8c0f514ef93dd6e8d0b150e7a86f785ba398054e165926a65b66dce3eab8c9bddc3a7637d799f4c18a1d7fca5c411b13e22d46368105b15d27da3867f2b9707663ff1bdd65a6a8407012230c4a1b509f404ad1bdd787892849bfa6865923fcdf	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel11 = 678333c92f261838597a9eb6e2012143660674c9ec08264e6c8ba9d1eb183851727c59d550bacd0491abb70b7c61d820e5806939a88d274dc82b98a288d5027878bbc2cbee7115107599792417bf32ce9afdaa840c2ba35f40b47f6f0f5212d07c37c5341d87f7d15f0de9d17f9d9fc6578584b36305bfad8bb67938943e96c6	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28D1DB8F-7EC6-4618-8892-099449D092D9}\InprocServer32\ThreadingModel15 = 631a5307f652b11dfe3be4b262722bd76cc21b286280d0703515b8545665692c43b9274e932e098292eaeb6ab48e98f76ca3d55b37f73cffe6391162693684fcbb8afc89a5af6c4171b6cef9df19322acd69175485d5f04498bc0427abd31584b6987c6c8703a1918dddd4a49ea1e6ddd3e7aba9aceeedb1e1ede4b4aeb1f6ed	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel11 = 678333c92f261838597a9eb6e2012143660674c9ec08264e6c8ba9d1eb183851727c59d550bacd0491abb70b7c61d820e5806939a88d274dc82b98a288d5027878bbc2cbee7115107599792417bf32ce9afdaa840c2ba35f40b47f6f0f5212d07c37c5341d87f7d15f0de9d17f9d9fc6578584b36305bfad8bb67938943e96c6	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32\ThreadingModel12 = 7227d6da0d7b5ca26192be88b5badfabb357d0a685a684d1813f5575acd9b819a103da5284a9a515436ba8d3cb3f6fa0359f4e75be603f653378f5b5581be40d2fbc2d53472ab3c8b07b8ce6d480392dc8815021db4587347798495f96d2438f63179447c24a8b0bdffa227503b8a10e3d941242aac8741b74c2db8abe09ea6b	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA4BF37-7E99-4ED2-8DCF-A9469F1C086B}\InprocServer32\ThreadingModel11 = 678333c92f261838597a9eb6e2012143660674c9ec08264e6c8ba9d1eb183851727c59d550bacd0491abb70b7c61d820e5806939a88d274dc82b98a288d5027878bbc2cbee7115107599792417bf32ce9afdaa840c2ba35f40b47f6f0f5212d07c37c5341d87f7d15f0de9d17f9d9fc6578584b36305bfad8bb67938943e96c6	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89179E2F-D33B-4B0F-9183-E466DDA37F06}\InprocServer32	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe
616	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
616	services.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
Token: SeSystemtimePrivilege	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
616	services.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1900	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe	26
PID 1608 wrote to memory of 1900	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe	26
PID 1608 wrote to memory of 1900	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe	26
PID 1608 wrote to memory of 1900	1608	9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe	26

C:\Users\Admin\AppData\Local\Temp\9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe
"C:\Users\Admin\AppData\Local\Temp\9fde4284001b454a6dbc9137c897cc3c5d38ebe6e0d18e194eefb47e1c93166f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\usmt\services.exe
  "C:\Windows\system32\usmt\services.exe" /install /silent
  2⤵
  - Executes dropped EXE
  - Sets service image path in registry
  PID:1900

C:\Windows\SysWOW64\usmt\services.exe
C:\Windows\SysWOW64\usmt\services.exe -k netsvcs
1⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\libeay32.dll

Filesize
284KB

MD5
9ddd781ee35ebbd7a9d8528fb4b6e5bf

SHA1
8d60b4bf5fd056d09394b448fd87202a58cd1cba

SHA256
f0797ddb1fb70a8c053e64e0066c5e375c2ae6da242cb606414df421bb2e14d2

SHA512
0f0b7d3d1dbd9129e70a85483a07a7e3abff298b2b1d52ce3db06e9786ff9ce62c0d565f77824049fa446554eebd35c88647b8eb92de978d072864d28ce8fd48

Download Submit
C:\Windows\SysWOW64\rpcx86.dll

Filesize
229KB

MD5
cd6ea27860d790c35fa135e573161657

SHA1
81edbdb0001502f29278753354e72332b4dde57c

SHA256
9ec37a911642bed76e33479f0225e0d0f61e0be8ebbf87a081a852431c6632fe

SHA512
c8d73d0a5741dd7d644cb39af54f69b9ac113de3197efb7fdea500a0779ee135a362a280062a5159db74f2ed682ab88b2e56d338502009309a28bb1255797d04

Download Submit
C:\Windows\SysWOW64\ssleay32.dll

Filesize
62KB

MD5
1649356d2dd6ea301397b5aec441c137

SHA1
78ab03a7c47bd4ebd56261226adcedd1f2f2ee66

SHA256
a0f7e0ab4c22f89d1fddb1c582b6e550399400fc8473b6770a55f34fed78f25a

SHA512
c15b356d94fc82907b378e6201db581edb7b2eac5b07a8d95178e3f2bf00aeca978aac6446ba7a082ed52b2e225421ef5bf9ce88387ec0bb413b11ee05dec44f

Download Submit
C:\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
C:\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
\Windows\SysWOW64\libeay32.dll

Filesize
284KB

MD5
9ddd781ee35ebbd7a9d8528fb4b6e5bf

SHA1
8d60b4bf5fd056d09394b448fd87202a58cd1cba

SHA256
f0797ddb1fb70a8c053e64e0066c5e375c2ae6da242cb606414df421bb2e14d2

SHA512
0f0b7d3d1dbd9129e70a85483a07a7e3abff298b2b1d52ce3db06e9786ff9ce62c0d565f77824049fa446554eebd35c88647b8eb92de978d072864d28ce8fd48

Download Submit
\Windows\SysWOW64\rpcx86.dll

Filesize
229KB

MD5
cd6ea27860d790c35fa135e573161657

SHA1
81edbdb0001502f29278753354e72332b4dde57c

SHA256
9ec37a911642bed76e33479f0225e0d0f61e0be8ebbf87a081a852431c6632fe

SHA512
c8d73d0a5741dd7d644cb39af54f69b9ac113de3197efb7fdea500a0779ee135a362a280062a5159db74f2ed682ab88b2e56d338502009309a28bb1255797d04

Download Submit
\Windows\SysWOW64\ssleay32.dll

Filesize
62KB

MD5
1649356d2dd6ea301397b5aec441c137

SHA1
78ab03a7c47bd4ebd56261226adcedd1f2f2ee66

SHA256
a0f7e0ab4c22f89d1fddb1c582b6e550399400fc8473b6770a55f34fed78f25a

SHA512
c15b356d94fc82907b378e6201db581edb7b2eac5b07a8d95178e3f2bf00aeca978aac6446ba7a082ed52b2e225421ef5bf9ce88387ec0bb413b11ee05dec44f

Download Submit
\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
\Windows\SysWOW64\usmt\services.exe

Filesize
540KB

MD5
19326390316294e69d7eb70d4e62c519

SHA1
ea749c3e8f9ffdd1e4f4a644751d64033bafc324

SHA256
9afdb254cb18cabaf3daf9e23f347f9857b215ef44e8ac203165567fe5f97945

SHA512
20324db0350f373bc3fcd2a3624e7ca365ba17b08f3fc9ff27e0acce2635a314fb111d8adf801379dc61986a868150c6e6c89260728a536212d5a0446a2c99dc

Download Submit
memory/616-66-0x0000000002710000-0x00000000027AF000-memory.dmp

Filesize
636KB

Download
memory/616-71-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/616-72-0x0000000003090000-0x00000000030B9000-memory.dmp

Filesize
164KB

Download
memory/616-73-0x0000000002710000-0x00000000027AF000-memory.dmp

Filesize
636KB

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download