85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d

General

Target

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
Size

270KB
MD5

e0fa5bd634abf97f355127567eeac31b
SHA1

47c0a2c939ee34b004b085e16dac5e9407407078
SHA256

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d
SHA512

8acd50d5fc778479e2f52da6009f4d4ea1b2bbfa88f62dcf745a2d72f6f8ed0e14abbc1b55d4034e72494e05d68b6fe04a3dcf2d1e3360ebf063089fbe8262e4
SSDEEP

6144:Euk3SHEXJPSjiVJGZKZjwdFUcbZLSlHBNSem+tT9PTBHdo27Du:Ev3Sk5PSmVGKZ8CHBN1mcT9PT/

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rAHsNK.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rAHsNK.exe
Executes dropped EXE 1 IoCs

Processes:

rAHsNK.exe

pid process

800 rAHsNK.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rAHsNK.exe

pid	process
800	rAHsNK.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

description	ioc	process
File opened (read-only)	\??\I:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\M:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\T:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\V:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\X:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\E:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\F:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\H:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\J:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\L:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\N:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\O:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\R:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\B:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\U:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\P:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\S:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\Y:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\Z:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\G:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\Q:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\W:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
File opened (read-only)	\??\K:	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

Drops file in Program Files directory 64 IoCs

Processes:

rAHsNK.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	rAHsNK.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	rAHsNK.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	rAHsNK.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	rAHsNK.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	rAHsNK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

pid	process
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

pid process

768 85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

pid process

768 85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exerAHsNK.exe

description	pid	process	target process
PID 768 wrote to memory of 800	768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe	rAHsNK.exe
PID 768 wrote to memory of 800	768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe	rAHsNK.exe
PID 768 wrote to memory of 800	768	85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe	rAHsNK.exe
PID 800 wrote to memory of 3316	800	rAHsNK.exe	cmd.exe
PID 800 wrote to memory of 3316	800	rAHsNK.exe	cmd.exe
PID 800 wrote to memory of 3316	800	rAHsNK.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe
"C:\Users\Admin\AppData\Local\Temp\85719990f424af2c25758a1df61aeea2e0c3a3b514cb06f1a610369556a19d5d.exe"
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe
C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3a864d58.bat" "
3⤵
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a864d58.bat
Filesize
187B

MD5
cba32bd9726d1d0c95fcd4b69850ef35

SHA1
711f6b3ae5314c25f455b407bf3a3a4ab7b6b144

SHA256
ba1a11fb4bc59979530d242d54dd553c44117513d3ff80d9c856b9391b440c0e

SHA512
7e0c7144b9d283b2c4f24437e51a943cc9d89eee263d21414b6bb3ec137b1265b4249e210ac0627c59f19b74f8bc331b61088876019e908c8a65228db047d81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAHsNK.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/768-132-0x0000000000850000-0x000000000089E000-memory.dmp

Filesize
312KB

Download
memory/768-137-0x0000000000850000-0x000000000089E000-memory.dmp

Filesize
312KB

Download
memory/800-133-0x0000000000000000-mapping.dmp

Download
memory/800-136-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/800-138-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/3316-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads