Analysis
-
max time kernel
404s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 13:38
Behavioral task
behavioral1
Sample
5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
150 seconds
General
-
Target
5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe
-
Size
328KB
-
MD5
39c358ee0daff93638ea38c734848529
-
SHA1
bf6f1de85e6207965652e479358d1d1f36828526
-
SHA256
5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877
-
SHA512
6ac711de8ec69a7b617de438459676a296167efa4660a5f5bb2f592f6b6dde5b37fb7c8b7c01b6d2f6b77f58a2d66c8ccab34b279bf295bf165c98fa10bc6261
-
SSDEEP
6144:Gk4qmaTavTMT4o1C5apw64ZRBW9KcKfVuD+0IP+4xFIKFA:59jZ1uddc2ADy+5a
Malware Config
Extracted
Family
cybergate
Version
2.6
Botnet
TEST
C2
127.0.0.1:81
satohack.zapto.org:81
bluelightning.zapto.org:81
Mutex
***MUTEX***
Attributes
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
Telnetdll
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
Windows
-
regkey_hklm
Windows
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows = "C:\\Windows\\system32\\Telnetdll\\svchost.exe" 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows = "C:\\Windows\\system32\\Telnetdll\\svchost.exe" 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe -
Executes dropped EXE 2 IoCs
pid Process 4032 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe 3520 DesktopLayer.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4G2S2IC-8LN2-31T2-5VU0-323H5NSAB80I} 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4G2S2IC-8LN2-31T2-5VU0-323H5NSAB80I}\StubPath = "C:\\Windows\\system32\\Telnetdll\\svchost.exe Restart" 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4G2S2IC-8LN2-31T2-5VU0-323H5NSAB80I} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4G2S2IC-8LN2-31T2-5VU0-323H5NSAB80I}\StubPath = "C:\\Windows\\system32\\Telnetdll\\svchost.exe" explorer.exe -
resource yara_rule behavioral2/memory/1632-132-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/files/0x000a000000022d77-134.dat upx behavioral2/memory/4032-135-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/files/0x000a000000022d77-136.dat upx behavioral2/files/0x000a000000022d9f-138.dat upx behavioral2/memory/1632-140-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/files/0x000a000000022d9f-143.dat upx behavioral2/memory/3520-145-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/4032-144-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral2/memory/1632-148-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3836-151-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/3836-152-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1632-155-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1672-158-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1672-159-0x00000000240F0000-0x0000000024152000-memory.dmp upx behavioral2/memory/1632-160-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral2/files/0x000a000000022d98-162.dat upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Telnetdll\\svchost.exe" 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Telnetdll\\svchost.exe" 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Telnetdll\svchost.exe 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe File opened for modification C:\Windows\SysWOW64\Telnetdll\svchost.exe 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe File opened for modification C:\Windows\SysWOW64\Telnetdll\svchost.exe explorer.exe File opened for modification C:\Windows\SysWOW64\Telnetdll\ explorer.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxAF57.tmp 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6698AE09-74AB-11ED-B5DD-42A3CC74B480}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1105939810" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000760" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1105939810" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6698AE07-74AB-11ED-B5DD-42A3CC74B480} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000760" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe 3520 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3836 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3836 explorer.exe Token: SeDebugPrivilege 3836 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3188 iexplore.exe 3188 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 4032 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 78 PID 1632 wrote to memory of 4032 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 78 PID 1632 wrote to memory of 4032 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 78 PID 4032 wrote to memory of 3520 4032 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe 81 PID 4032 wrote to memory of 3520 4032 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe 81 PID 4032 wrote to memory of 3520 4032 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe 81 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68 PID 1632 wrote to memory of 784 1632 5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe 68
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe"C:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exeC:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3520 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3188 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
PID:5036
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe
Filesize55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\5350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877Srv.exe
Filesize55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
229KB
MD5f2e18879ef66f26e630d1e733f4879cc
SHA19380082eeb6e23de4ce4a2c067e923c5d91e822b
SHA2565d70e47216e5240a3d567d986e7c1dc239b0818a325e54888428f821853e126e
SHA5128da957cd75684576a784c631a5e4b76f9a6cebee461dccb9787da72ffc4e157bfd901cb3eed244df4b4599a127ddc28fe95507bbea819751895db9145c1f0ba7
-
Filesize
328KB
MD539c358ee0daff93638ea38c734848529
SHA1bf6f1de85e6207965652e479358d1d1f36828526
SHA2565350ee759ff31bd0b188d1068c3ecd6b34bf70be174f726f33d711e5b6f9e877
SHA5126ac711de8ec69a7b617de438459676a296167efa4660a5f5bb2f592f6b6dde5b37fb7c8b7c01b6d2f6b77f58a2d66c8ccab34b279bf295bf165c98fa10bc6261