ab70d29d52622c352ad8f36a6fc58a7c0a28d01c9ce25c5e3c97991be9c1cbe4

Resubmissions

02/03/2023, 14:13

230302-rje1kadc45 7

02/03/2023, 14:12

02/03/2023, 14:11

02/03/2023, 14:10

02/03/2023, 14:08

Analysis

max time kernel
238s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

stkhcl32.dll.7z
Size

8.4MB
MD5

903a766301bd69840c8ab4312dd0272e
SHA1

c2ce6978015676ca4534f27735ccc73f5d0506c9
SHA256

ab70d29d52622c352ad8f36a6fc58a7c0a28d01c9ce25c5e3c97991be9c1cbe4
SHA512

de35dfceabf6a7ddda6cd9c1051edb799fce8b3d7d53fbafebc764c77eb8b575939e784cebf556dc9fb83164cbb1df2a26f25b864b589ce83726b990fcab6b31
SSDEEP

196608:/nSpkvZlBEqXI+4HL2+13dEXYIhnA0PbpBiIajhNA:fqkyRreYCVg/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3764	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7zG.exe\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7zG.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\""	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7zG.exe	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7zG.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications\7zG.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005456dd981000372d5a6970003c0009000400efbe5456dd985456dd982e00000010250200000009000000000000000000000000000000dcbec60037002d005a0069007000000014000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005456ef9c110050524f4752417e310000740009000400efbe874fdb495456ef9c2e0000003f0000000000010000000000000000004a0000000000ba001701500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Applications	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3764	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1800	OpenWith.exe
3764	rundll32.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeRestorePrivilege	2684	7zG.exe
Token: 35	2684	7zG.exe
Token: SeRestorePrivilege	3104	7zG.exe
Token: 35	3104	7zG.exe
Token: SeSecurityPrivilege	3104	7zG.exe
Token: SeSecurityPrivilege	3104	7zG.exe
Token: SeRestorePrivilege	3188	7zG.exe
Token: 35	3188	7zG.exe
Token: SeSecurityPrivilege	3188	7zG.exe
Token: SeSecurityPrivilege	3188	7zG.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe
Token: SeTcbPrivilege	3764	rundll32.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3104	7zG.exe
3188	7zG.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
1800	OpenWith.exe
3764	rundll32.exe
3764	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2684	1800	OpenWith.exe	96
PID 1800 wrote to memory of 2684	1800	OpenWith.exe	96
PID 2036 wrote to memory of 3764	2036	cmd.exe	115
PID 2036 wrote to memory of 3764	2036	cmd.exe	115
PID 2036 wrote to memory of 3972	2036	cmd.exe	117
PID 2036 wrote to memory of 3972	2036	cmd.exe	117
PID 3876 wrote to memory of 4304	3876	cmd.exe	121
PID 3876 wrote to memory of 4304	3876	cmd.exe	121

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\stkhcl32.dll.7z
1⤵
- Modifies registry class
PID:1904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\AppData\Local\Temp\stkhcl32.dll.7z"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3288

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\stkhcl32.dll\" -spe -an -ai#7zMap5489:84:7zEvent11218
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\stkhcl32.dll\" -spe -an -ai#7zMap23798:84:7zEvent27203
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\rundll32.exe
  rundll32.exe stkhcl32.dll, SessionThread
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3764
- C:\Windows\system32\rundll32.exe
  rundll32.exe stkhcl32.dll
  2⤵
  PID:3972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\System32\rundll32.exe
  rundll32.exe stkhcl32.dll, SessionThread
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
4f0bccd838b03844695a1d58e6ccfbca

SHA1
dad3affcab8dcd1e008d1e3041edf415f2bc70a6

SHA256
c3df0aedb8886a2568a2628d203665445a64c923808db2c97a7190ddc302a766

SHA512
f7ba142df35ecfe007c68fd4c834b186683185d214c00b5954cd9d17f75e73443c4ec75579c8614f679081123968f298919ac4b44c0f364484b5c9d7ad14743c

Download Submit
C:\Users\Admin\Documents\stkhcl32.dll\stkhcl32.dll

Filesize
30.5MB

MD5
a6fcef9979eef47906812612c8bb1983

SHA1
ba50d56eb229813cb0ed8d1e1bbe218b99e6a9de

SHA256
c1977043a99665eb97ac02624c647c6b31a25df12e956af21c839d852aaa4e85

SHA512
651ae3ae114d4bb0f152edfe0aefa6a3c979cf38da8c47fa2920177ac052c192734cef0ebfd256ae108547d15285b84118ebc9528d8cb885c1d85a1847e30f30

Download Submit
C:\Users\Admin\Documents\stkhcl32.dll\stkhcl32.dll

Filesize
30.5MB

MD5
a6fcef9979eef47906812612c8bb1983

SHA1
ba50d56eb229813cb0ed8d1e1bbe218b99e6a9de

SHA256
c1977043a99665eb97ac02624c647c6b31a25df12e956af21c839d852aaa4e85

SHA512
651ae3ae114d4bb0f152edfe0aefa6a3c979cf38da8c47fa2920177ac052c192734cef0ebfd256ae108547d15285b84118ebc9528d8cb885c1d85a1847e30f30

Download Submit