608c05ae5120ee3ba36e1f105c4136e5d0cb4b6024b453bc8587a82458d30b71

Analysis

max time kernel
299s
max time network
302s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

681KB
MD5

02d32289149e7f8e271d7a863cb30990
SHA1

d07dbcdb61a88e7887efa1332c47eb15963013cb
SHA256

608c05ae5120ee3ba36e1f105c4136e5d0cb4b6024b453bc8587a82458d30b71
SHA512

73beae3ac4b99b1b39e997e96e5270cc12b8c9a86a261dbbb2bfdfba8bbe465506e24fac4f4a97604a00e08f60970b081544482d7e7edbfc5ebefc44b2fce83d
SSDEEP

12288:rbJKteY6nXxNguWxxOE+eN2+ZMZi+ocWeh3ih9HXAf:PgR6nXxlWiE+eN2GGiRcBYTQf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	sample.exe

Loads dropped DLL 1 IoCs

pid	Process
760	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 836	1972	sample.exe	29
PID 836 set thread context of 1404	836	sample.exe	9
PID 760 set thread context of 1404	760	explorer.exe	9

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4c003100000000000c556677100041646d696e00380008000400efbe0c55cb700c5566772a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\NodeSlot = "5"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 52003100000000000c55cb70122041707044617461003c0008000400efbe0c55cb700c55cb702a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1972	sample.exe
836	sample.exe
836	sample.exe
836	sample.exe
836	sample.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1404	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
836	sample.exe
836	sample.exe
836	sample.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	sample.exe
Token: SeDebugPrivilege	836	sample.exe
Token: SeDebugPrivilege	760	explorer.exe
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE
Token: SeShutdownPrivilege	1404	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE
1404	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1108	1972	sample.exe	28
PID 1972 wrote to memory of 1108	1972	sample.exe	28
PID 1972 wrote to memory of 1108	1972	sample.exe	28
PID 1972 wrote to memory of 1108	1972	sample.exe	28
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1972 wrote to memory of 836	1972	sample.exe	29
PID 1404 wrote to memory of 760	1404	Explorer.EXE	31
PID 1404 wrote to memory of 760	1404	Explorer.EXE	31
PID 1404 wrote to memory of 760	1404	Explorer.EXE	31
PID 1404 wrote to memory of 760	1404	Explorer.EXE	31
PID 760 wrote to memory of 1712	760	explorer.exe	34
PID 760 wrote to memory of 1712	760	explorer.exe	34
PID 760 wrote to memory of 1712	760	explorer.exe	34
PID 760 wrote to memory of 1712	760	explorer.exe	34
PID 760 wrote to memory of 1712	760	explorer.exe	34
PID 1404 wrote to memory of 1616	1404	Explorer.EXE	35
PID 1404 wrote to memory of 1616	1404	Explorer.EXE	35
PID 1404 wrote to memory of 1616	1404	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\sample.exe
  "C:\Users\Admin\AppData\Local\Temp\sample.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    3⤵
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1008
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1712
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35_3201L9

Filesize
88KB

MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5drx6p.zip

Filesize
486KB

MD5
1e73cacce02ae20026a81f1e56416aa3

SHA1
f491a7301ce11cf11a92c0245c7e03d927422286

SHA256
0dd0dd38cde5a14e7d6d0830db62cc7037e521fd042b0b8da0763128b2c0b3f2

SHA512
afe77facd8b16cc744ac2277414ffaf83436999d15eb8ac707f8098e2f8ed4cb29b430392ebe46b7fa65b20730615bc33dee9416f7141da5032a630894980a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.def

Filesize
5KB

MD5
540f7ab54d3b2e6e69222de98bb6b10e

SHA1
55fa5084ee581043a071f77d604a21db8d584424

SHA256
c07c024bf43d8ba619740174d104eace6c3576cab357f4a2b0a29b8fd88164dc

SHA512
e21c1ac8313446c4d482839938784f626f33ef2bed681209839dc5a9cec856fd1595c8b017cada857eaa537f5c5be73f85845c7808eab209bf9c77b339876119

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
memory/760-77-0x00000000020C0000-0x000000000214F000-memory.dmp

Filesize
572KB

Download
memory/760-76-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/760-75-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/760-74-0x00000000005B0000-0x0000000000831000-memory.dmp

Filesize
2.5MB

Download
memory/760-73-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/836-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-69-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/836-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-67-0x0000000000C60000-0x0000000000F63000-memory.dmp

Filesize
3.0MB

Download
memory/836-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-78-0x0000000006420000-0x00000000064E8000-memory.dmp

Filesize
800KB

Download
memory/1404-68-0x0000000004230000-0x0000000004328000-memory.dmp

Filesize
992KB

Download
memory/1404-79-0x0000000004230000-0x0000000004328000-memory.dmp

Filesize
992KB

Download
memory/1404-80-0x0000000006420000-0x00000000064E8000-memory.dmp

Filesize
800KB

Download
memory/1616-83-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1972-54-0x0000000000BB0000-0x0000000000C60000-memory.dmp

Filesize
704KB

Download
memory/1972-59-0x00000000006B0000-0x00000000006E6000-memory.dmp

Filesize
216KB

Download
memory/1972-58-0x00000000045E0000-0x0000000004650000-memory.dmp

Filesize
448KB

Download
memory/1972-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-56-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1972-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download