a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
Size

2.2MB
MD5

9e4d09a7474c46b0a3ff4cfa5008bc37
SHA1

9f20082009c22993c537d6853415c52e4996130b
SHA256

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c
SHA512

3acbeba466ceee2f18db9a77ef024172691cea1740b5d119ad5f895e73bcef790fc0d8cdec263f021991f3be3100dc42cddd95b6ac942210407fda2686b34de5
SSDEEP

49152:N0WOSXVYV0JGKWZBFzCqFPu5rzt876hCwS/vdjj:0/R5FkrFEvFj

Score

9^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll	acprotect
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	acprotect
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll	upx
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	upx
behavioral1/memory/112-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/112-64-0x0000000003430000-0x00000000034AA000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/112-55-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect
behavioral1/memory/112-57-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect
behavioral1/memory/112-92-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect

Loads dropped DLL 5 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

description	ioc	process
File opened (read-only)	\??\p:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\r:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\e:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\f:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\g:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\j:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\m:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\a:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\h:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\s:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\t:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\x:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\y:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\z:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\k:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\n:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\o:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\q:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\w:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\b:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\i:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\l:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\u:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\v:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

description ioc process

File opened for modification \??\PhysicalDrive0 a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/112-55-0x0000000000400000-0x000000000070F000-memory.dmp	autoit_exe
behavioral1/memory/112-57-0x0000000000400000-0x000000000070F000-memory.dmp	autoit_exe
behavioral1/memory/112-92-0x0000000000400000-0x000000000070F000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid process

112 a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid process

112 a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
112	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

C:\Users\Admin\AppData\Local\Temp\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
"C:\Users\Admin\AppData\Local\Temp\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3168_softa_bpbd_update.conf
Filesize
2KB

MD5
efd0b30eb32d75970ac95b26dd713e0a

SHA1
c107c3641f9c102565c77fef9afbead3773fb31a

SHA256
c2499e6320318abe48213325d552c3c331367091da7d2fb6c1c840a0684fab54

SHA512
ef23ccffc723ed29d7661d508d5e38a9d03ac1ca5fc9acbf85411c2dd7a54514c3a40b2539370c59bebf33cd20a779d942072816cca26f59eeb2af1608fc66c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3168_softa_bpbd_update.conf.tmp
Filesize
4B

MD5
a54f0041a9e15b050f25c463f1db7449

SHA1
d9be6524a5f5047db5866813acf3277892a7a30a

SHA256
ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e

SHA512
ea71bb243b0b2db729b9eb88e3c55a3f490fbff23457825051224a1fe6e6d3f480590cfa3a4a6b12c622d6ac366feb03cd17004ed004cb3f0d52731626946679

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log
Filesize
4KB

MD5
26fae046abdbdeea2dad185debfcf862

SHA1
00b54471fe12ea7dac0d827c0c3926d5c131be9d

SHA256
1d56f69d637102801b91c7485f4cdc46dba7b7cb718eeeedd1f6cf2eaf84d7b3

SHA512
08ce5025359360252b303957e41d5b749ccaf7017339e1264f800ccb79063bbe842b0cd73fd2feb4aa185c213926f8fc3585c791ab6875d11db3533505abc1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log
Filesize
2KB

MD5
4b179daee69585fa620784ae829544c0

SHA1
ce14378500aed8ebba93a240f42f8854be916b0b

SHA256
c178fbe4a660285f37d8e8fc0b8dff0f24916765642046a6edd27389f27f8eb1

SHA512
6905aff5df033481f0406747c558f9e9e5221c2d28c9a2c4804879e1d06e4b28bcae9422fa2aba93271ea109f8ddc4a7bb2cadc9e6a1af4e2c1716b7097c32a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_141101732-MSI_netfx_Full_x64.msi.txt
Filesize
12.7MB

MD5
8c9123cfd9e03e0e0aa9fd8bdfc15766

SHA1
99d970ea1d361f72dbdf30f3df2608d4abae50ad

SHA256
2b8a114f31749558b8ca9697ffb2b2fc131c191e7e9ad62db211c51d3642e58f

SHA512
e51617edd21414629864e5067f276475cf1106f80852f9d1860d8b25b1e8c290361b5d02dcac30273bad8554397d88fb432755d13684eba79c142e2341649024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_141101732.html
Filesize
1.1MB

MD5
b77afbcf14eee1145ebc85d94b83e9b9

SHA1
da3c14a2d4fd8f1dcef2fee4d360e5c22a10ab42

SHA256
ef3e94a841f91553b814585a482cc806e7603bb1c66ac48a9377643d89e51b59

SHA512
c897d01a36d64bf5935ce8eeecf8a65737c3f818d71fa193e5ce19d09c96734af35da4df5e55a6f100971caaa4fcbf2af8a0b62adcee939914cbbdf3c584b78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_imageHotWord.html
Filesize
51KB

MD5
00093e431fa1d3ae5c56c427314b5937

SHA1
9601f3d79b2a88fe2f21022ec7fcb19e9c48a241

SHA256
27e89b0683c36ba335806e3a7f8e266dd23d411249859a59ee922d132c9e08f1

SHA512
578b5fc91d52b1ac58d7a20d119c2b6ba9f02271087a9acbfb8a1cfcbe08d56b401303524086a7cf1a1cf351f17ff5437de2ebdf7bc1124b4da9f44312f6b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
2KB

MD5
346bb51359545e2c36c0f685bdd79ee0

SHA1
9a84f649e35adf3b4948603df664f10f46e03975

SHA256
224399603b498c864dc5c3229bee4ebc50ecd50e5d76ca04fa5819f231d4729d

SHA512
ba569c1a3f119c730d20dee0da15505ca10933fc208b4dcd57a2f3eeb56c2e2bcb34dba67d8ce731ddbd7fe02baa833514162d5bde1348f7a2d27ec090558c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
3ce841002a11ae2f81d50c6aad03b4a2

SHA1
fe3af98d17f2cde252e08c4a15a248351ba7bf6f

SHA256
57f1bb18165d12d0129f8b0eeda7771bb77db0094fa670b07199be709cd7cde3

SHA512
eaa6dff48145c269a9768e650c5608d3bb832fc903b67e8bfc8d9087f6a0f1891984607987c5f01d2967ed6f24d436b49f78275161f3d5f37f1f434d31c8fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
Filesize
2KB

MD5
a8e789063b6533af603354dc6edab429

SHA1
d3a4e6f3982151ec54dae6f6c01d1fd967d2ea93

SHA256
be1e5ba33c7acd74160fe4be8ee61b4668cae36a837f2d1e8aa69e5b9b11afe7

SHA512
91ed0c8b3c5abf19aa7d1baaaf5e935b3c5b3b2c888ef927fc27f0de3e6aa9c88e98a11684646b8abab5838a6b376160cf3139d3fdcec8b43d21445de3f0cfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI64AB.txt
Filesize
425KB

MD5
d195feaacdb7ee7541a0d6993f2ff301

SHA1
c4875a842d0fb6fc914200f7ff0348b5216f7d8f

SHA256
dbfe16f970aa3f0e1710646fa6af9b3de857eeda974eb27c242060d7414e65ed

SHA512
4f8d5f9c5beeec11e420e680ce5de395c8ca9b512ca6ebfd66b23ba0cd9c22651fb19f88cd19d0f32492497575f1ae13795090b86e4d65a36e515acc9e9dc3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI651D.txt
Filesize
412KB

MD5
0bbafaa453d72f0b9b918881f3244ffe

SHA1
58f9cb548661b9515037b89ae0a384c3e5840365

SHA256
fcc99a03486bb3ed4c1de6cfa07f739393cc99e7c2d5e4bb15e0adc029ea85ee

SHA512
d7ebf90b2d5276503ee258c8782da1864cf738e75fefa962f33a03a5c1a0eec67441cd567f8bac09e30c2ae94a47162915e6d64af0e53c58ef646c84b3a92af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI64AB.txt
Filesize
11KB

MD5
76937b2d93c69139a6fc83ad83336d06

SHA1
f27eafa69a98cc249007f037128b44a639dfbb30

SHA256
844cbda7387cce4f1bb1f91dd6693171c8ea381c79c92622a16f8ceadea2c61e

SHA512
2ac345a373289b8c82b9e6bd2288794d2c37ef10eea899ba727b4cd7da4bc5e31e62242490fc39786b79466df0607c657f1a13aa411ab1fe11ebca7973c73336

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI651D.txt
Filesize
11KB

MD5
f80020257af23fd686a73d9a8241d781

SHA1
7ee1ecb95d248f863d6ed750400473b9a281d84e

SHA256
e498cd0c9448c6b77eb79d614c0e56c841dc9315913ea970c81586fbffc7a843

SHA512
84f671d16462202972a64ef64451b5b2993c51a43be4b9d60930595f23288d70df8db523681643c7b2ba5029e7dd114a21253d32cd44282876f7f61f9b2a0b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20220812_141121_966.txt
Filesize
7KB

MD5
b867e749bb4e7b4ef9cb790d972e6b98

SHA1
d58a44123666c2a2446c503a948d523b2d279e72

SHA256
6e1fca3827a0d617d1ec47a0c498a7833f510730fab3d1ced0ae351c39c9ffa8

SHA512
2cf8e8aae9ab90d384a8ead2ceee01c42a17eb3b0c8597357f1d546c61fa27cca66acc7510ec5e0a34f535969b8fa277214ee0e9a56eb0cbc4ba1cc424769edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20220812_141122_839.txt
Filesize
2KB

MD5
e0cf6f0495fc68faaeb8108a64b30d03

SHA1
46d8f4fcbc1aba5b90155aea2bd6e1fa0cfc4930

SHA256
6c9f3dd8f3b9406defef147d0abf6da8200f41dc6fbbbe712e8b55f27546a30e

SHA512
4deb111288d312bdcb6da9b30336145be239a061c2ba83184c68873e507e03d154c1c08df839bef22e25d61501fa8d0f68ccc12146a1f3510c7b4c289396aa17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log
Filesize
170KB

MD5
61698f2ba07bda2ba323140f20b28e28

SHA1
d3e46602b6e042abdfb6a8630ccaff23801cd104

SHA256
51c06f89c259219fd364b1a36991964e772e968873496a4d61532d488b2cb8c0

SHA512
eb7f3dc17e49d2c2191fd6eb235e22ef3aa63157f90da42af3e6653e174e129e663b9c1eac8798d770a99ecdad4230754f07c84a96a73d85e6c8ef14aeb1cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log
Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll
Filesize
174KB

MD5
b418293371265336db6b4bc28529bab5

SHA1
1e36f063b9d92a73daf8ee91d345886af8f5ad99

SHA256
d01a99e7859ae9e2596308f89a63f5fb771e9b6e5365b0add141ca593cb27771

SHA512
8db9ee8dd945f23bb60b2d67c70f18a79d7bc04458ac89e95aa704413f87717015889a83854f0056ca60d3f3dee52c007c0bbb807f17b268a29c92c2e3615195

Download Submit
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll
Filesize
86KB

MD5
2819420bfb8ab28deb55013f95694476

SHA1
791ea9d003f7e03c7fab8a951d3c5558fbbe2981

SHA256
b0c16115feeffe87f4d9a1217f930e9c440a6bde829d32130b1928dedc7b584a

SHA512
d18fbc47ab889095b033a30bd48cec517bbc8c649f194d1ea822f794e2ebaf57cd46e06532c4c8f4b5d6c80755189ceb40af2961a9b14f95bd99103c07ff2b2d

Download Submit
memory/112-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/112-68-0x00000000071F0000-0x0000000007314000-memory.dmp

Filesize
1.1MB

Download
memory/112-64-0x0000000003430000-0x00000000034AA000-memory.dmp

Filesize
488KB

Download
memory/112-65-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-70-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download
memory/112-66-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-67-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/112-69-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download
memory/112-57-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/112-55-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/112-92-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/112-95-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-94-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-93-0x0000000003500000-0x0000000003515000-memory.dmp

Filesize
84KB

Download
memory/112-96-0x000000000B860000-0x000000000B870000-memory.dmp

Filesize
64KB

Download