a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
Size

2.2MB
MD5

9e4d09a7474c46b0a3ff4cfa5008bc37
SHA1

9f20082009c22993c537d6853415c52e4996130b
SHA256

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c
SHA512

3acbeba466ceee2f18db9a77ef024172691cea1740b5d119ad5f895e73bcef790fc0d8cdec263f021991f3be3100dc42cddd95b6ac942210407fda2686b34de5
SSDEEP

49152:N0WOSXVYV0JGKWZBFzCqFPu5rzt876hCwS/vdjj:0/R5FkrFEvFj

Score

9^/10

upx vmprotect

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 9 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll	upx
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	upx
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll	upx
behavioral2/memory/820-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/820-145-0x0000000005BA0000-0x0000000005C1A000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/820-132-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect
behavioral2/memory/820-133-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect
behavioral2/memory/820-152-0x0000000000400000-0x000000000070F000-memory.dmp	vmprotect

Loads dropped DLL 9 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

description	ioc	process
File opened (read-only)	\??\v:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\a:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\e:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\g:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\h:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\m:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\r:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\x:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\y:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\k:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\l:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\p:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\q:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\s:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\t:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\j:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\n:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\w:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\b:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\f:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\i:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\o:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\u:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
File opened (read-only)	\??\z:	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/820-133-0x0000000000400000-0x000000000070F000-memory.dmp	autoit_exe
behavioral2/memory/820-152-0x0000000000400000-0x000000000070F000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid process

820 a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

pid	process
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
820	a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe

C:\Users\Admin\AppData\Local\Temp\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe
"C:\Users\Admin\AppData\Local\Temp\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll
Filesize
174KB

MD5
b418293371265336db6b4bc28529bab5

SHA1
1e36f063b9d92a73daf8ee91d345886af8f5ad99

SHA256
d01a99e7859ae9e2596308f89a63f5fb771e9b6e5365b0add141ca593cb27771

SHA512
8db9ee8dd945f23bb60b2d67c70f18a79d7bc04458ac89e95aa704413f87717015889a83854f0056ca60d3f3dee52c007c0bbb807f17b268a29c92c2e3615195

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\7-zip32.dll
Filesize
174KB

MD5
b418293371265336db6b4bc28529bab5

SHA1
1e36f063b9d92a73daf8ee91d345886af8f5ad99

SHA256
d01a99e7859ae9e2596308f89a63f5fb771e9b6e5365b0add141ca593cb27771

SHA512
8db9ee8dd945f23bb60b2d67c70f18a79d7bc04458ac89e95aa704413f87717015889a83854f0056ca60d3f3dee52c007c0bbb807f17b268a29c92c2e3615195

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\diskserial.dll
Filesize
27KB

MD5
350e5268aef5671e1d46c35fed211406

SHA1
5769b786f05421c408657b880a359b5e14767f61

SHA256
be4c2c723f50606246f9c463c421290ff0ae2ea54b5c319811de8b35811e9450

SHA512
480cb1dc8a8bbc9a4e0ad94bd2cd67fc1133bd0c11d1c2d34b83b2ab03f275a4071b8ad24ccc34771ba1d3dba61790fc0ae99d4d727ad6a65ec15b7d0d5e12d2

Download Submit
C:\ProgramData\a9b6da98731e3e9ffd32cfbf6dc1a13d82e88bcaa747595dab154a74de39289c\skin.dll
Filesize
86KB

MD5
2819420bfb8ab28deb55013f95694476

SHA1
791ea9d003f7e03c7fab8a951d3c5558fbbe2981

SHA256
b0c16115feeffe87f4d9a1217f930e9c440a6bde829d32130b1928dedc7b584a

SHA512
d18fbc47ab889095b033a30bd48cec517bbc8c649f194d1ea822f794e2ebaf57cd46e06532c4c8f4b5d6c80755189ceb40af2961a9b14f95bd99103c07ff2b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3168_softa_bpbd_update.conf
Filesize
2KB

MD5
efd0b30eb32d75970ac95b26dd713e0a

SHA1
c107c3641f9c102565c77fef9afbead3773fb31a

SHA256
c2499e6320318abe48213325d552c3c331367091da7d2fb6c1c840a0684fab54

SHA512
ef23ccffc723ed29d7661d508d5e38a9d03ac1ca5fc9acbf85411c2dd7a54514c3a40b2539370c59bebf33cd20a779d942072816cca26f59eeb2af1608fc66c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3168_softa_bpbd_update.conf.tmp
Filesize
4B

MD5
a54f0041a9e15b050f25c463f1db7449

SHA1
d9be6524a5f5047db5866813acf3277892a7a30a

SHA256
ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e

SHA512
ea71bb243b0b2db729b9eb88e3c55a3f490fbff23457825051224a1fe6e6d3f480590cfa3a4a6b12c622d6ac366feb03cd17004ed004cb3f0d52731626946679

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1660332185.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_191749306.html
Filesize
94KB

MD5
da6b45af25ddc7d9a34a5a425b253bb2

SHA1
b94cc8311d176c735ef39586086ba5293808c3a9

SHA256
fe6525b8436cfb0df02ae2cd7e7054bd706b3fa6f68ba4ded69308ed0bbfc350

SHA512
6a56d232768ad1f999bea5c61c58561e870c26c5de539d73e84984c0a806093251d060a359c55de71f46442f0752e96f6375ac8d8a79d7f957486c1e0e4c6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
3KB

MD5
7b261553ba3c610999059f63c2c8ee6a

SHA1
1f1ae0dc6f3f3e510745074a0455078d33908562

SHA256
40788006e1a1ef42a7c2739f7e8dd4389efe1a6b107f50580e70e8ebe5f40272

SHA512
a7df1e078a58a39f8b4cb14bacd027825c5ec8a6ca58070dd5e8e98837c1e1fd9206471777f8e144edd43ea380e12259caa5e95b5d77a2deb5fb29a43cdddef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
807032b7314049329ebd06853899378d

SHA1
5b92011b163eb80836c163163d7350731fac9bd8

SHA256
833a02f36dfa5affbce525ec3c8ff76f17884fa6f058a31247aae3a5afc4f447

SHA512
2737573f6f344754cfd0d2562458743608a626fd03e21f728f459f49d2f529b85ae7f4be83cf91f0365e7275681458bf1baefc0e100c46a9ec07fe1638803241

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI50B8.txt
Filesize
426KB

MD5
cd406b2d2202bec1d657b0042c2a2cb8

SHA1
87d639c4dc350106f0e2cd2364d78df223aac7e4

SHA256
37c69c02974b85d856e00765ff6b978bc55f03f1254b5f50754d5acd7c32c296

SHA512
09a482f2fe99f4b6a45f8acb8953705cc834a8e92be2f579f62e5aa784d972b63e1dc8d0a4bf25442623a3f251f9a675121c3a402e1b5748424acceeaf547ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI50E6.txt
Filesize
414KB

MD5
e6c01c79db3f332fe871fa31fde76177

SHA1
aebe59988fce2cdc4e95ea5937365421538c9a05

SHA256
2ef99443f8f086c52cb2c4b525a767fd0ad0de8b4996bd6c9161bf8073a884fb

SHA512
6cec8a23a7468d42deed895e4f1277fd7d33430dc122fbe020ee865a319c14a73d29ab1f6c9af40127f19c683ff7dfa36689b43b309b3b6aa0d76fee68ed5fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI50B8.txt
Filesize
11KB

MD5
2d3d4b9bab706bc5873482be100e0851

SHA1
47cc8742c34ac728a62d4a4705a50c661d247944

SHA256
fd5ac2a1c3c9c587a7ed459f1ee4f8074f6643bc8557d9c8bec3c1582568c405

SHA512
b423281011e69f3957cda935ae25acd69c65ddeb29bb8d10c5159c72e53e55c609071d5a0109366962b87e538e7fc10300eee6baef8dbc613d112792f190c8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI50E6.txt
Filesize
11KB

MD5
2f49658dc85c711be46b9811a82265d5

SHA1
160dbd9b872224a83f7c9d508d6184513738b82a

SHA256
ea98fcd19ab84934ea13c76c8062613b8aab53eba191f617154ad1ad6de9541d

SHA512
09fd53d0f0d8fed289a76b22b516a73532d965984af6fa48e8fcdaf196517d38a95fcd9af8aaf1120eadba6eb0dfb3e78ba91286a5041208d85296012e39e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Filesize
3KB

MD5
9ff44423a176ce26a4c7a07b31228885

SHA1
4fc43105c7c45af784e366d70186909dae5e3d60

SHA256
dad5b6d0b662cfad2be7ff91c9fae6df5560d8c060945c2e500161dec02e7c3d

SHA512
d650e64ef28bc8da2fcbf686fd1fda891e2d5d4f22ee2bfa69bcba01cd4369eacfcb362f4d8e8f69bab317eaa5b4d0644da0fe5ee5935c9d284ce625ddbcc5bf

Download Submit
memory/820-156-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-157-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-149-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-148-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-147-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-146-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-132-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/820-150-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-151-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-155-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-154-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-153-0x0000000005C20000-0x0000000005C35000-memory.dmp

Filesize
84KB

Download
memory/820-145-0x0000000005BA0000-0x0000000005C1A000-memory.dmp

Filesize
488KB

Download
memory/820-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/820-133-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/820-152-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download