995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484

Analysis

max time kernel
157s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Size

488KB
MD5

64b76f62d60f8e5279f5a911da82262d
SHA1

bc9925888b02ad57e0e70cfb74b2e20a3271039a
SHA256

995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484
SHA512

a4400bc90e712a25d472f352470dcadb15508e4f9d7394974ff174e82191485a1d7c7889f39d5d44b90ca0ae8a8d95c85a87e61e921fd20f781e9ebedae5588f
SSDEEP

6144:S0KmDlnlt2o0+nNlWgmU0cX+pX0zESORGXqV8urextnndERRf0qDYmpxAyHf9aOG:hlMdEQtGaVjreA0qDJpxTnL6LQ

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2012	winservice.exe
1936	winservice.exe
1444	winservice.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3776-141-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3776-143-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3776-144-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3776-148-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1444-171-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3776-173-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1444-177-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3776-179-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
1444	winservice.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winservice.exe = "C:\\Windows\\winservice.exe"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
File opened for modification	\??\PhysicalDrive0	winservice.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 364 set thread context of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 3896 set thread context of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 2012 set thread context of 1936	2012	winservice.exe	88
PID 1936 set thread context of 1444	1936	winservice.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MSWINSCK.OCX	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
File created	C:\Windows\winservice.exe	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
File opened for modification	C:\Windows\winservice.exe	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\MSWINSCK.OCX"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\MSWINSCK.OCX"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\MSWINSCK.OCX, 1"	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
2012	winservice.exe
1936	winservice.exe
1444	winservice.exe
1444	winservice.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 364 wrote to memory of 3896	364	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	85
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3896 wrote to memory of 3776	3896	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	86
PID 3776 wrote to memory of 2012	3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	87
PID 3776 wrote to memory of 2012	3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	87
PID 3776 wrote to memory of 2012	3776	995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe	87
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 2012 wrote to memory of 1936	2012	winservice.exe	88
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89
PID 1936 wrote to memory of 1444	1936	winservice.exe	89

C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
"C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
  "C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe
    "C:\Users\Admin\AppData\Local\Temp\995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\winservice.exe
      C:\Windows\winservice.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\winservice.exe
        
        C:\Windows\winservice.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\winservice.exe
        
        C:\Windows\winservice.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\winservice.exe

Filesize
488KB

MD5
64b76f62d60f8e5279f5a911da82262d

SHA1
bc9925888b02ad57e0e70cfb74b2e20a3271039a

SHA256
995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484

SHA512
a4400bc90e712a25d472f352470dcadb15508e4f9d7394974ff174e82191485a1d7c7889f39d5d44b90ca0ae8a8d95c85a87e61e921fd20f781e9ebedae5588f

Download Submit
C:\Windows\winservice.exe

Filesize
488KB

MD5
64b76f62d60f8e5279f5a911da82262d

SHA1
bc9925888b02ad57e0e70cfb74b2e20a3271039a

SHA256
995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484

SHA512
a4400bc90e712a25d472f352470dcadb15508e4f9d7394974ff174e82191485a1d7c7889f39d5d44b90ca0ae8a8d95c85a87e61e921fd20f781e9ebedae5588f

Download Submit
C:\Windows\winservice.exe

Filesize
488KB

MD5
64b76f62d60f8e5279f5a911da82262d

SHA1
bc9925888b02ad57e0e70cfb74b2e20a3271039a

SHA256
995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484

SHA512
a4400bc90e712a25d472f352470dcadb15508e4f9d7394974ff174e82191485a1d7c7889f39d5d44b90ca0ae8a8d95c85a87e61e921fd20f781e9ebedae5588f

Download Submit
C:\Windows\winservice.exe

Filesize
488KB

MD5
64b76f62d60f8e5279f5a911da82262d

SHA1
bc9925888b02ad57e0e70cfb74b2e20a3271039a

SHA256
995423bc1e0eb3a6d872b9c857d96728c52a6adc4698b50e24be3966d52b2484

SHA512
a4400bc90e712a25d472f352470dcadb15508e4f9d7394974ff174e82191485a1d7c7889f39d5d44b90ca0ae8a8d95c85a87e61e921fd20f781e9ebedae5588f

Download Submit
memory/1444-171-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1444-162-0x0000000000000000-mapping.dmp

Download
memory/1444-177-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1936-170-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-156-0x0000000000000000-mapping.dmp

Download
memory/1936-178-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2012-151-0x0000000000000000-mapping.dmp

Download
memory/3776-144-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-141-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-140-0x0000000000000000-mapping.dmp

Download
memory/3776-148-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-179-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3776-173-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3896-134-0x0000000000000000-mapping.dmp

Download
memory/3896-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3896-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3896-172-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download