7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
Size

704KB
MD5

ba5e2090c8667fb450892cc09018eb4a
SHA1

6b77ea0e801de7af8de6a5db7a2876433d77b33b
SHA256

7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8
SHA512

450998e35ab476ebe7824fd8ecc4f8899d2c4269fae841ad1dd70f9301efd62bd7523d035221c3aa94a0fd1e2c19a1c619476ce6698af3b9ce4a416b4f724755
SSDEEP

12288:4tq+q+q+qs2veLPuClONf/hmmdisnHPld3SSE2veLPuClONf/hmmdisnHPld3SSz:ReLvlaldisHpeLvlaldisHz

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\C_28592.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\DevicePairingWizard.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\amcompat.tlb.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\BthMtpContextHandler.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\console.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\cscdll.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\C_870.NLS.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\dialer.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\CardGames.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\cnvfat.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\cryptsvc.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_1148.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\chsbrkr.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\convert.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\C_1145.NLS.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_1250.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\batt.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_037.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\dinotify.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\aaclient.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\aitagent.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\api-ms-win-core-synch-l1-2-0.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\CPFilters.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\C_20003.NLS.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\AuthFWWizFwk.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\control.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\AuditPolicyGPInterop.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\basesrv.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\cdd.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_858.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\appidpolicyconverter.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\d3d11.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\DDORes.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\apilogen.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\bcdprov.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\DDORes.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\dfrgui.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_ISCII.DLL	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\d3d10level9.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\ActionCenterCPL.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\atmfd.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\C_20833.NLS.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_862.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\BlbEvents.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_852.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\ddodiag.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\AUDIOKSE.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\collab.cpl	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\d3d10_1.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\DDACLSys.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_10008.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\C_10029.NLS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\D3DCompiler_47.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\amstream.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\asferror.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\concrt140.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\System32\appidcertstorecheck.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\autochk.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\System32\certcli.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\GroupSync.docx.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\OpenInitialize.mov.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\OutSet.ogg.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\SetShow.inf	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ClearConfirm.mp4.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ClearConfirm.mp4	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ShowGet.reg	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\SkipNew.WTV	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\SuspendSubmit.wmx.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\DisconnectResolve.xht.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ResumeUninstall.raw	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\LockSet.TS	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\OutSet.ogg	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\RestartTest.xps	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ShowGet.reg.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\UpdateCompress.hta	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\UseCopy.jpe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ConvertFromConfirm.001.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\HideWrite.xlsm	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ImportConfirm.tiff.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\MergeRestore.css.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\RepairPublish.asf.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\CloseDismount.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\CloseDismount.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\LockSet.TS.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files (x86)\desktop.ini.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\desktop.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\GroupSync.docx	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\RevokeStep.rar.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\DenyRestart.dib	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ResumeUninstall.raw.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\RepairResume.mov	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\SyncPush.edrwx	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\NewConnect.jpg.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\RemoveGet.ocx.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\DismountResolve.rar	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ResolveSync.001	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\BackupRequest.reg.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ConfirmDisconnect.contact	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\DismountResolve.rar.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\RepairPublish.asf	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\SetShow.inf.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\BackupRequest.reg	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\ConvertFromConfirm.001	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\CompressDismount.eprtx.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\MergeRestore.css	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ResolveSync.001.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\RestartTest.xps.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\RevokeStep.rar	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\UseCopy.jpe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\AssertClose.xml.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\CompleteEdit.lock	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\HideWrite.xlsm.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\RemoveGet.ocx	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\SkipNew.WTV.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\ConfirmDisconnect.contact.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\DisableComplete.cfg	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\SuspendTrace.asp.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\desktop.ini.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\DisconnectResolve.xht	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\CompressDismount.eprtx	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Program Files\DenyRestart.dib.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Program Files\NewConnect.jpg	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File created	C:\Windows\bfsvc.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\Starter.xml	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\PFRO.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\splwow64.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\twunk_32.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\write.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\DtcInstall.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\notepad.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\explorer.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\Ultimate.xml.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\DtcInstall.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\mib.bin.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\msdfmap.ini.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\notepad.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\PFRO.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\setupact.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\splwow64.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\WindowsUpdate.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\explorer.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\HelpPane.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\mib.bin	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\winhlp32.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\WMSysPr9.prx.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\msdfmap.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\TSSysprep.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\twunk_16.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\regedit.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\setupact.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\TSSysprep.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\twain_32.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\win.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\win.ini.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\write.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\HelpPane.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\twain.dll	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\twunk_16.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\winhlp32.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\setuperr.log	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\bootstat.dat	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\hh.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\bootstat.dat.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\Ultimate.xml	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\fveupdate.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\regedit.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\setuperr.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\twain.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\twunk_32.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\Starter.xml.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\system.ini.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\system.ini	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\WindowsShell.Manifest.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\WindowsUpdate.log.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\WMSysPr9.prx	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\bfsvc.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File opened for modification	C:\Windows\fveupdate.exe	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\hh.exe.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
File created	C:\Windows\twain_32.dll.TANKIX	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
Token: SeDebugPrivilege	1824	7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe

C:\Users\Admin\AppData\Local\Temp\7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe
"C:\Users\Admin\AppData\Local\Temp\7c02ccb6e676edb26514b03e105e2ac313642925ec17dbac4dcaed28d32f5ad8.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-54-0x0000000001050000-0x0000000001106000-memory.dmp

Filesize
728KB

Download