a07b612d85c1ce29a711d0ca0b08cd898556a104fbe7319864252631cb7f8342

Analysis

max time kernel
302s
max time network
170s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
02/03/2023, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Id-40340917 101603.exe
Size

471.2MB
MD5

5d03b9fdabd58ff54b9b336103a7c784
SHA1

503c20c5f1f6eb82cbd09528a6c5721d57773f73
SHA256

af311e1519425d00402a15361e996408a304cb43c6785f6c047fe96cea47c80b
SHA512

7e1bdbf0036fada169630e9b647b0bd4c5b576a1207715ce7b0e360721d4da490da5d74842565a7861c0576b897522f2d2b56552be9283d79e0813c7365a31ce
SSDEEP

24576:1EuOaPhW+GpDl3ulAyjmJl72R5JtjPM+wBTpy:IkhksA7YNM+WTpy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
780	DropBoxExe.exe
1804	DropBoxExe.exe

Loads dropped DLL 12 IoCs

pid	Process
1000	Id-40340917 101603.exe
1000	Id-40340917 101603.exe
1000	Id-40340917 101603.exe
1000	Id-40340917 101603.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DropBoxExe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	DropBoxExe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DropBoxExe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DropBoxExe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	DropBoxExe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DropBoxExe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
280	schtasks.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Id-40340917 101603.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Id-40340917 101603.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Id-40340917 101603.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Id-40340917 101603.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Id-40340917 101603.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Id-40340917 101603.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Id-40340917 101603.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
780	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe
1804	DropBoxExe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
780	DropBoxExe.exe
1804	DropBoxExe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 780	1000	Id-40340917 101603.exe	31
PID 1000 wrote to memory of 780	1000	Id-40340917 101603.exe	31
PID 1000 wrote to memory of 780	1000	Id-40340917 101603.exe	31
PID 1000 wrote to memory of 780	1000	Id-40340917 101603.exe	31
PID 780 wrote to memory of 280	780	DropBoxExe.exe	33
PID 780 wrote to memory of 280	780	DropBoxExe.exe	33
PID 780 wrote to memory of 280	780	DropBoxExe.exe	33
PID 780 wrote to memory of 280	780	DropBoxExe.exe	33
PID 1452 wrote to memory of 1804	1452	taskeng.exe	36
PID 1452 wrote to memory of 1804	1452	taskeng.exe	36
PID 1452 wrote to memory of 1804	1452	taskeng.exe	36
PID 1452 wrote to memory of 1804	1452	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\Id-40340917 101603.exe
"C:\Users\Admin\AppData\Local\Temp\Id-40340917 101603.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\UpOneLevel\DropBoxExe.exe
  "C:\Users\Admin\UpOneLevel\DropBoxExe.exe" -lang rus
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Local\Temp\settings.xml" /tn "reflateN"
    3⤵
    - Creates scheduled task(s)
    PID:280

C:\Windows\system32\taskeng.exe
taskeng.exe {69AB459A-9220-44F6-B7C5-2E0C9A7B3771} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\UpOneLevel\DropBoxExe.exe
  C:\Users\Admin\UpOneLevel\DropBoxExe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a8966b578b20f6de0a0dd03211aa4a8

SHA1
805ee2ef53b4e87f6a9d85d5fcf88eef80337538

SHA256
39a24c057e7207d4650caae7357e0252396558a0bea019f05b2f8f40aa295762

SHA512
986d9428da6d7b2ed957917d2540fa50c1a57b72ac2c0c785a5294ce0b4972b113e4db5834171428ec1993bcd1b56789df486587eb71ca65c8b05515ad95bef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar52BA.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.xml

Filesize
1KB

MD5
cf606ce80b19736d5a8073cde01820ca

SHA1
8a0c6e83499de025844be7d187c3a5e060bca4c2

SHA256
9ab8fb61248303dc8fc5b71f59672ec2c6f9d0cc70b6437f3bedc97705a11736

SHA512
d193efb6e8326815b137d789f884ddc4a9489d853ccc230ee9bb64ec763fbfc435b31b9b56a224c5f8f2387759341cf4506769ebbacf1b020869bb803cf76e89

Download Submit
C:\Users\Admin\Downloads\SSchophunter.sys

Filesize
29.1MB

MD5
d04da707b78fd629b0760220cd85a97b

SHA1
2f6219fdd1b184bdd82c4887968696960541539f

SHA256
4d74c1f2baf980090e4970ff334f6dc2bd643339ed6a8bbdc61feaef7d7968e7

SHA512
088dc1d1e5bf181eea8692e7a05037fa9c9e5bf4c5312ac484d62bde792ccd148ff62a888983ea33034315a9b50e173df1e4e270617051c40af95c2fce857545

Download Submit
C:\Users\Admin\UpOneLevel\Common.dll

Filesize
897KB

MD5
40fd316520f0573077aacb60aff0fbc6

SHA1
4b1e23ba91a049fdc4c97caebc57cac15cb3e9b0

SHA256
0d757ca61be427e699d570364fdd5ec6f5fbeb7654dc67b34bb4b46c69466de5

SHA512
c5cad12ed7b9fc4b6af099a973438e07c0a994084cad893d34eadcc186559560d728a663054c9cfc49864fa52f88d38428088baae853fd887169be46bee8524c

Download Submit
C:\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
C:\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
C:\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
C:\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
C:\Users\Admin\UpOneLevel\OSSL.md

Filesize
15.6MB

MD5
9131ebd48be11209eeb7c44e2c89a0c7

SHA1
ca9b8929829ccd1385ae91ebbdf950edca5cdf01

SHA256
1118dbdca0f0f604025caaf9c38b621a88f65573954946e0cff125cfc66e810a

SHA512
c29565be4eaa35a2b80fb7902cd90727a0b8f82428af3fca61712b6131253aca25c661783b26f1d977167147db48b3afee85ad6e71b3c0c5de59bc5263ead9f1

Download Submit
C:\Users\Admin\UpOneLevel\StarBurn.dll

Filesize
573KB

MD5
e86403ff6f01f2b50b9f95d8e536fbf1

SHA1
0546658f5e4ac1c0b8035dc9da5f0e389e79e38f

SHA256
34d51ea931e6b9de88b55f3d9f6921fbddaa40acb888e692f66f7e77c2b6f676

SHA512
4c8ffa89c8f40b9749db013a937cc6067c46e8698ff9dbadb9371ebe792d664e08e46e26d33e0833fdd037a947eed2683d1f51d619f8dd28d7f118345d6f308f

Download Submit
C:\Users\Admin\UpOneLevel\StuffItConnect

Filesize
132B

MD5
f27517d8b718954a6aa349303da531c3

SHA1
45ee56deb2e711f0a48729c7f3e9f5e3fd97c39c

SHA256
c3e34cd586c964711a00b0657434793e34f484e68d9986e6a3b9ec3a498668b2

SHA512
b3a7fc65fc32e8327ff73400b0c72e11213b4a4d5d27fa09a72e0f5c71921566c82e0c0332261ef444dfbe449177512958e6bdd921448a35c1222d3e5b0b2c94

Download Submit
C:\Users\Admin\UpOneLevel\StuffItConnect.dll

Filesize
81KB

MD5
9f499cb83be4c828383e70b8b94a6479

SHA1
915a055b761e713d144edc7b7b94d8783f28d485

SHA256
a059228a9c6e656877adbb8d764523a02634ec8c95a8057c059b414e2a4c14e1

SHA512
4b6849f7e2f094f2d208f3dad823a86288970d500a827d31addd6eb81674d2e6be6ad1e75e488ad9b61c08db5d9351188e00d09363fc695e2f8534746a6bbbcc

Download Submit
C:\Users\Admin\UpOneLevel\StuffItEngine.dll

Filesize
482.5MB

MD5
46eacd2a725f9013b7659cfb6dfcab52

SHA1
e276d2b408ed17b68bd05436118a72190e0ea8d9

SHA256
3294f58b5a0dce027830373186c72a2ba3c258200f603c5f416b8490f4e0a68f

SHA512
c5e3b2d329d7fe60000f5c2ab9774b5d7d5d25b6d3fd14a3191649b6f7e38b258b4e66ae0c206f07b8dca174a4e668ae9731e10d7db1ad250b5c8c91064edd03

Download Submit
\Users\Admin\UpOneLevel\Common.dll

Filesize
897KB

MD5
40fd316520f0573077aacb60aff0fbc6

SHA1
4b1e23ba91a049fdc4c97caebc57cac15cb3e9b0

SHA256
0d757ca61be427e699d570364fdd5ec6f5fbeb7654dc67b34bb4b46c69466de5

SHA512
c5cad12ed7b9fc4b6af099a973438e07c0a994084cad893d34eadcc186559560d728a663054c9cfc49864fa52f88d38428088baae853fd887169be46bee8524c

Download Submit
\Users\Admin\UpOneLevel\Common.dll

Filesize
897KB

MD5
40fd316520f0573077aacb60aff0fbc6

SHA1
4b1e23ba91a049fdc4c97caebc57cac15cb3e9b0

SHA256
0d757ca61be427e699d570364fdd5ec6f5fbeb7654dc67b34bb4b46c69466de5

SHA512
c5cad12ed7b9fc4b6af099a973438e07c0a994084cad893d34eadcc186559560d728a663054c9cfc49864fa52f88d38428088baae853fd887169be46bee8524c

Download Submit
\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
\Users\Admin\UpOneLevel\DropBoxExe.exe

Filesize
394KB

MD5
307b6e3b6b84bb4672e801e60abf365f

SHA1
15d9e7886d928bea2d87af566f91d2208c1e2e9c

SHA256
57fc7477b265411a1466c709767629b9c0cf8b69bd989019bfaf1509e725e7fe

SHA512
ad8ced527c9caced86af8326fe8026ab93a5060a7139105c3746413448fbd16d8786ba49cc9c78bc83b38b6771f265434697d81021e145ba38edadb797f6cee9

Download Submit
\Users\Admin\UpOneLevel\StarBurn.dll

Filesize
573KB

MD5
e86403ff6f01f2b50b9f95d8e536fbf1

SHA1
0546658f5e4ac1c0b8035dc9da5f0e389e79e38f

SHA256
34d51ea931e6b9de88b55f3d9f6921fbddaa40acb888e692f66f7e77c2b6f676

SHA512
4c8ffa89c8f40b9749db013a937cc6067c46e8698ff9dbadb9371ebe792d664e08e46e26d33e0833fdd037a947eed2683d1f51d619f8dd28d7f118345d6f308f

Download Submit
\Users\Admin\UpOneLevel\StarBurn.dll

Filesize
573KB

MD5
e86403ff6f01f2b50b9f95d8e536fbf1

SHA1
0546658f5e4ac1c0b8035dc9da5f0e389e79e38f

SHA256
34d51ea931e6b9de88b55f3d9f6921fbddaa40acb888e692f66f7e77c2b6f676

SHA512
4c8ffa89c8f40b9749db013a937cc6067c46e8698ff9dbadb9371ebe792d664e08e46e26d33e0833fdd037a947eed2683d1f51d619f8dd28d7f118345d6f308f

Download Submit
\Users\Admin\UpOneLevel\StuffItConnect.dll

Filesize
81KB

MD5
9f499cb83be4c828383e70b8b94a6479

SHA1
915a055b761e713d144edc7b7b94d8783f28d485

SHA256
a059228a9c6e656877adbb8d764523a02634ec8c95a8057c059b414e2a4c14e1

SHA512
4b6849f7e2f094f2d208f3dad823a86288970d500a827d31addd6eb81674d2e6be6ad1e75e488ad9b61c08db5d9351188e00d09363fc695e2f8534746a6bbbcc

Download Submit
\Users\Admin\UpOneLevel\StuffItConnect.dll

Filesize
81KB

MD5
9f499cb83be4c828383e70b8b94a6479

SHA1
915a055b761e713d144edc7b7b94d8783f28d485

SHA256
a059228a9c6e656877adbb8d764523a02634ec8c95a8057c059b414e2a4c14e1

SHA512
4b6849f7e2f094f2d208f3dad823a86288970d500a827d31addd6eb81674d2e6be6ad1e75e488ad9b61c08db5d9351188e00d09363fc695e2f8534746a6bbbcc

Download Submit
\Users\Admin\UpOneLevel\StuffItEngine.dll

Filesize
482.5MB

MD5
46eacd2a725f9013b7659cfb6dfcab52

SHA1
e276d2b408ed17b68bd05436118a72190e0ea8d9

SHA256
3294f58b5a0dce027830373186c72a2ba3c258200f603c5f416b8490f4e0a68f

SHA512
c5e3b2d329d7fe60000f5c2ab9774b5d7d5d25b6d3fd14a3191649b6f7e38b258b4e66ae0c206f07b8dca174a4e668ae9731e10d7db1ad250b5c8c91064edd03

Download Submit
\Users\Admin\UpOneLevel\StuffItEngine.dll

Filesize
482.5MB

MD5
46eacd2a725f9013b7659cfb6dfcab52

SHA1
e276d2b408ed17b68bd05436118a72190e0ea8d9

SHA256
3294f58b5a0dce027830373186c72a2ba3c258200f603c5f416b8490f4e0a68f

SHA512
c5e3b2d329d7fe60000f5c2ab9774b5d7d5d25b6d3fd14a3191649b6f7e38b258b4e66ae0c206f07b8dca174a4e668ae9731e10d7db1ad250b5c8c91064edd03

Download Submit
memory/780-320-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/780-325-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-317-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-318-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/780-319-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-306-0x0000000003A20000-0x0000000004756000-memory.dmp

Filesize
13.2MB

Download
memory/780-321-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-303-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-324-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-316-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-301-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/780-329-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-330-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-300-0x00000000006C0000-0x0000000001260000-memory.dmp

Filesize
11.6MB

Download
memory/780-297-0x0000000000230000-0x00000000002D2000-memory.dmp

Filesize
648KB

Download
memory/1000-293-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1000-198-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1000-276-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1804-338-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1804-359-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-340-0x0000000003A10000-0x0000000004746000-memory.dmp

Filesize
13.2MB

Download
memory/1804-350-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-351-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1804-352-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-353-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1804-354-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-355-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1804-356-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-358-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-336-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-360-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-361-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-362-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-363-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-364-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-366-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-368-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-370-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download
memory/1804-371-0x00000000009B0000-0x0000000001550000-memory.dmp

Filesize
11.6MB

Download