56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

Analysis

max time kernel
6s
max time network
11s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
02-07-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoruni.pee.exe
Size

100KB
MD5

aae219d4e703051d60351f73ca288d1d
SHA1

1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214
SHA256

56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307
SHA512

c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5
SSDEEP

3072:J2MWsQvnyo/CtkgEcnz7fsmqLGnQ7eMDLyPexpZ:J2jsgpYtEcnzwlLFeMD2Pex

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wins.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LeChucK.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	autoruni.pee.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 17 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1292	attrib.exe
1816	attrib.exe
904	attrib.exe
1496	attrib.exe
528	attrib.exe
1992	attrib.exe
1948	attrib.exe
1084	attrib.exe
1608	attrib.exe
580	attrib.exe
452	attrib.exe
1292	attrib.exe
564	attrib.exe
296	attrib.exe
1460	attrib.exe
1796	attrib.exe
672	attrib.exe

Executes dropped EXE 7 IoCs

pid	Process
1536	LeChucK.exe
1048	LeChucK.exe
1252	wins.exe
944	LeChucK.exe
904	wins.exe
1656	wins.exe
1452	wins.exe

Loads dropped DLL 13 IoCs

pid	Process
1680	autoruni.pee.exe
1680	autoruni.pee.exe
1536	LeChucK.exe
1536	LeChucK.exe
1536	LeChucK.exe
1536	LeChucK.exe
1252	wins.exe
1252	wins.exe
1252	wins.exe
1252	wins.exe
1680	autoruni.pee.exe
1680	autoruni.pee.exe
1252	wins.exe

Modifies system executable filetype association 2 TTPs 49 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	wins.exe
File opened for modification	C:\autorun.inf	attrib.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmd.com	autoruni.pee.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	autoruni.pee.exe
File created	C:\Windows\SysWOW64\cmd.com	wins.exe
File opened for modification	C:\Windows\SysWOW64\LeChucK.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\LeChucK.exe	autoruni.pee.exe
File created	C:\Windows\SysWOW64\wins.exe	autoruni.pee.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	autoruni.pee.exe
File created	C:\Windows\SysWOW64\wins.exe	LeChucK.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	attrib.exe
File created	C:\Windows\SysWOW64\LeChucK.exe	wins.exe
File created	C:\Windows\SysWOW64\LeChucK.exe	autoruni.pee.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	attrib.exe
File opened for modification	C:\Windows\SysWOW64\LeChucK.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\LeChucK.exe	attrib.exe
File created	C:\Windows\SysWOW64\LeChucK.exe	LeChucK.exe
File created	C:\Windows\SysWOW64\cmd.com	LeChucK.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\zip32.dll	LeChucK.exe
File opened for modification	C:\Windows\SysWOW64\CC.dll	LeChucK.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\regedit.com	attrib.exe
File opened for modification	C:\Windows\spolis.exe	attrib.exe
File created	C:\Windows\regedit.com	wins.exe
File opened for modification	C:\Windows\spolis.exe	attrib.exe
File created	C:\Windows\regedit.com	autoruni.pee.exe
File opened for modification	C:\Windows\regedit.com	attrib.exe
File created	C:\Windows\spolis.exe	wins.exe
File opened for modification	C:\Windows\spolis.exe	attrib.exe
File opened for modification	C:\Windows\regedit.com	autoruni.pee.exe
File opened for modification	C:\Windows\spolis.exe	autoruni.pee.exe
File opened for modification	C:\Windows\spolis.exe	LeChucK.exe
File opened for modification	C:\Windows\spolis.exe	attrib.exe
File opened for modification	C:\Windows\regedit.com	attrib.exe
File created	C:\Windows\spolis.exe	autoruni.pee.exe
File created	C:\Windows\regedit.com	LeChucK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33522211-190D-11EE-B997-F6780A61CDA7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell\Open\Command	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\ = "Open"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\ = "Open"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell\Open\Command	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\Open\Command	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell	autoruni.pee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\wins.exe \"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	wins.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\Shell\Open\Command	LeChucK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\ = "Open"	LeChucK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\Shell	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\Shell	autoruni.pee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\Shell\Open\Command	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\ = "Open"	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\ = "Open"	autoruni.pee.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1564	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1680	autoruni.pee.exe
1536	LeChucK.exe
1048	LeChucK.exe
1252	wins.exe
944	LeChucK.exe
904	wins.exe
1656	wins.exe
1452	wins.exe
1564	iexplore.exe
1564	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1348	1680	autoruni.pee.exe	28
PID 1680 wrote to memory of 1348	1680	autoruni.pee.exe	28
PID 1680 wrote to memory of 1348	1680	autoruni.pee.exe	28
PID 1680 wrote to memory of 1348	1680	autoruni.pee.exe	28
PID 1680 wrote to memory of 1196	1680	autoruni.pee.exe	29
PID 1680 wrote to memory of 1196	1680	autoruni.pee.exe	29
PID 1680 wrote to memory of 1196	1680	autoruni.pee.exe	29
PID 1680 wrote to memory of 1196	1680	autoruni.pee.exe	29
PID 1680 wrote to memory of 1008	1680	autoruni.pee.exe	30
PID 1680 wrote to memory of 1008	1680	autoruni.pee.exe	30
PID 1680 wrote to memory of 1008	1680	autoruni.pee.exe	30
PID 1680 wrote to memory of 1008	1680	autoruni.pee.exe	30
PID 1680 wrote to memory of 984	1680	autoruni.pee.exe	31
PID 1680 wrote to memory of 984	1680	autoruni.pee.exe	31
PID 1680 wrote to memory of 984	1680	autoruni.pee.exe	31
PID 1680 wrote to memory of 984	1680	autoruni.pee.exe	31
PID 1008 wrote to memory of 1292	1008	Cmd.exe	36
PID 1008 wrote to memory of 1292	1008	Cmd.exe	36
PID 1008 wrote to memory of 1292	1008	Cmd.exe	36
PID 1008 wrote to memory of 1292	1008	Cmd.exe	36
PID 1348 wrote to memory of 1460	1348	Cmd.exe	37
PID 1348 wrote to memory of 1460	1348	Cmd.exe	37
PID 1348 wrote to memory of 1460	1348	Cmd.exe	37
PID 1348 wrote to memory of 1460	1348	Cmd.exe	37
PID 1680 wrote to memory of 1188	1680	autoruni.pee.exe	39
PID 1680 wrote to memory of 1188	1680	autoruni.pee.exe	39
PID 1680 wrote to memory of 1188	1680	autoruni.pee.exe	39
PID 1680 wrote to memory of 1188	1680	autoruni.pee.exe	39
PID 1196 wrote to memory of 1816	1196	Cmd.exe	38
PID 1196 wrote to memory of 1816	1196	Cmd.exe	38
PID 1196 wrote to memory of 1816	1196	Cmd.exe	38
PID 1196 wrote to memory of 1816	1196	Cmd.exe	38
PID 984 wrote to memory of 904	984	Cmd.exe	40
PID 984 wrote to memory of 904	984	Cmd.exe	40
PID 984 wrote to memory of 904	984	Cmd.exe	40
PID 984 wrote to memory of 904	984	Cmd.exe	40
PID 1680 wrote to memory of 1536	1680	autoruni.pee.exe	41
PID 1680 wrote to memory of 1536	1680	autoruni.pee.exe	41
PID 1680 wrote to memory of 1536	1680	autoruni.pee.exe	41
PID 1680 wrote to memory of 1536	1680	autoruni.pee.exe	41
PID 1536 wrote to memory of 996	1536	LeChucK.exe	43
PID 1536 wrote to memory of 996	1536	LeChucK.exe	43
PID 1536 wrote to memory of 996	1536	LeChucK.exe	43
PID 1536 wrote to memory of 996	1536	LeChucK.exe	43
PID 1536 wrote to memory of 1752	1536	LeChucK.exe	44
PID 1536 wrote to memory of 1752	1536	LeChucK.exe	44
PID 1536 wrote to memory of 1752	1536	LeChucK.exe	44
PID 1536 wrote to memory of 1752	1536	LeChucK.exe	44
PID 1536 wrote to memory of 936	1536	LeChucK.exe	45
PID 1536 wrote to memory of 936	1536	LeChucK.exe	45
PID 1536 wrote to memory of 936	1536	LeChucK.exe	45
PID 1536 wrote to memory of 936	1536	LeChucK.exe	45
PID 1536 wrote to memory of 1624	1536	LeChucK.exe	51
PID 1536 wrote to memory of 1624	1536	LeChucK.exe	51
PID 1536 wrote to memory of 1624	1536	LeChucK.exe	51
PID 1536 wrote to memory of 1624	1536	LeChucK.exe	51
PID 1536 wrote to memory of 1592	1536	LeChucK.exe	50
PID 1536 wrote to memory of 1592	1536	LeChucK.exe	50
PID 1536 wrote to memory of 1592	1536	LeChucK.exe	50
PID 1536 wrote to memory of 1592	1536	LeChucK.exe	50
PID 1536 wrote to memory of 1048	1536	LeChucK.exe	46
PID 1536 wrote to memory of 1048	1536	LeChucK.exe	46
PID 1536 wrote to memory of 1048	1536	LeChucK.exe	46
PID 1536 wrote to memory of 1048	1536	LeChucK.exe	46

Views/modifies file attributes 1 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1460	attrib.exe
1816	attrib.exe
1796	attrib.exe
1992	attrib.exe
564	attrib.exe
1608	attrib.exe
1496	attrib.exe
528	attrib.exe
1292	attrib.exe
672	attrib.exe
1084	attrib.exe
296	attrib.exe
1948	attrib.exe
1292	attrib.exe
904	attrib.exe
452	attrib.exe
580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\autoruni.pee.exe
"C:\Users\Admin\AppData\Local\Temp\autoruni.pee.exe"
1⤵
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1460
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\wins.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +a +s +r +h C:\Windows\System32\wins.exe
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1816
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\cmd.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +a +s +r +h C:\Windows\System32\cmd.com
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1292
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c Attrib +a +s +r +h C:\Windows\regedit.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +a +s +r +h C:\Windows\regedit.com
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:904
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c Attrib +a +s +r +h C:\Windows\spolis.exe
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\attrib.exe
    Attrib +a +s +r +h C:\Windows\spolis.exe
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1796
- C:\Windows\SysWOW64\LeChucK.exe
  C:\Windows\System32\LeChucK.exe
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
    3⤵
    PID:996
  - - C:\Windows\SysWOW64\attrib.exe
      Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:1496
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\wins.exe
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\attrib.exe
      Attrib +a +s +r +h C:\Windows\System32\wins.exe
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:452
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\cmd.com
    3⤵
    PID:936
  - - C:\Windows\SysWOW64\attrib.exe
      Attrib +a +s +r +h C:\Windows\System32\cmd.com
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:528
- - C:\Windows\SysWOW64\LeChucK.exe
    C:\Windows\System32\LeChucK.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1048
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c Attrib +a +s +r +h C:\Windows\spolis.exe
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\attrib.exe
      Attrib +a +s +r +h C:\Windows\spolis.exe
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1992
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c Attrib +a +s +r +h C:\Windows\regedit.com
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      Attrib +a +s +r +h C:\Windows\regedit.com
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1948
- - C:\Windows\SysWOW64\wins.exe
    C:\Windows\System32\wins.exe
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1252
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
      4⤵
      PID:1436
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\System32\LeChucK.exe
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1292
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\wins.exe
      4⤵
      PID:1444
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\System32\wins.exe
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1084
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\System32\cmd.com
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\System32\cmd.com
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:564
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\regedit.com
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\regedit.com
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:580
  - - C:\Windows\SysWOW64\LeChucK.exe
      C:\Windows\System32\LeChucK.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:944
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\spolis.exe
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\spolis.exe
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:672
  - - C:\Windows\SysWOW64\wins.exe
      C:\Windows\System32\wins.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:904
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\autorun.inf
      4⤵
      PID:1288
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\autorun.inf
        5⤵
        Sets file to hidden
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1608
  - - C:\Windows\SysWOW64\Cmd.exe
      Cmd.exe /c Attrib +a +s +r +h C:\Windows\Spolis.exe
      4⤵
      PID:1196
    - - C:\Windows\SysWOW64\attrib.exe
        
        Attrib +a +s +r +h C:\Windows\Spolis.exe
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:296
  - - C:\Windows\SysWow64\wins.exe
      "C:\Windows\SysWow64\wins.exe" "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gratisweb.com/mowpax/contador.htm
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1452
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.gratisweb.com/mowpax/contador.htm
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1564
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1624
- C:\Windows\SysWOW64\wins.exe
  C:\Windows\System32\wins.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\cmd.com

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\cmd.com

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\regedit.com

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\spolis.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\Windows\spolis.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
C:\autorun.inf

Filesize
190B

MD5
78a07447064eba5da949f410857d2b1f

SHA1
a0dcc5863668841fc59567ef5b4a956c02ec9ac5

SHA256
9a2775697d26751bf7ac89d6bc6990aded650b07d07a78a458447a2dce27af9d

SHA512
83d11bf8dac07b0f0216f31e07df00001b7f09a34151a441acab3d33bdd28abc1348ac38afbff332220f4a2bbc242b15bbb0334beb391458e8c78cdd45eb1f61

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\LeChucK.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
\Windows\SysWOW64\wins.exe

Filesize
100KB

MD5
aae219d4e703051d60351f73ca288d1d

SHA1
1b28cbc3d27a92281ebf4754c27b9ac4a3a8c214

SHA256
56947c93fb17d3339ff2a778556f4a4f95516fb5112db61ae0804ecdcf4d1307

SHA512
c506e10cb96346729bbcf7001a2e686c22998c5b62cfff80319a6ab2e50031e96d7731b1cf5128a34d071779360be4ebacb28a2296651c80ba9e12650ef48af5

Download Submit
memory/904-105-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/904-106-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/944-95-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1252-104-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1252-124-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1252-131-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1452-123-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1536-103-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1536-130-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1656-122-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1680-102-0x00000000003D0000-0x00000000003F6000-memory.dmp

Filesize
152KB

Download
memory/1680-100-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1680-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads