ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 00:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Size

274KB
MD5

9f8568844cdfa628bf47df040bc43326
SHA1

9136b4c3d52e17cfc9f77a4624fe59fe29a6e01f
SHA256

ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2
SHA512

0a2315e258431ab1d289e609b955a1736a45d591743a092a0efd087de39b851c1b6713b93cd7b3da2c8ad307a75a09f6a622552878b50937e9d5cf0d75db84dc
SSDEEP

6144:xbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:xPcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\2QvaKGwwWy.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\De5O5UQmc64V.fkz	Explorer.EXE
File created	C:\Windows\System32\drivers\DUO4ndFFY.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\P8nWpHcjcNlGR.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\fNCBTd8XnI.uud	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\Iam5LAtRFP.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\1cmkxlbCbt1TyF.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\uq2GyJhaZGStl.psf	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\hEc951BlPxo46.ztv	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/632-0-0x00000000008D0000-0x000000000095C000-memory.dmp	upx
behavioral1/memory/632-82-0x00000000008D0000-0x000000000095C000-memory.dmp	upx
behavioral1/memory/632-88-0x00000000008D0000-0x000000000095C000-memory.dmp	upx
behavioral1/memory/632-144-0x00000000008D0000-0x000000000095C000-memory.dmp	upx

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.0.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000800000000b3eb-161.dat	vmprotect
behavioral1/files/0x001600000000b3eb-189.dat	vmprotect
behavioral1/files/0x002400000000b3eb-217.dat	vmprotect
behavioral1/files/0x003200000000b3eb-245.dat	vmprotect

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\FfsK7fgyjzdL.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\qRlRS4efJBrx.bvl	Explorer.EXE
File opened for modification	C:\Windows\system32\TT7s30tQ9c.ygh	Explorer.EXE
File opened for modification	C:\Windows\system32\bL9uHR1mq7.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\9Y8VMq5ncWU.bll	Explorer.EXE
File created	C:\Windows\system32\ \Windows\System32\dl8RxJ0K.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\5qT9IySniRe3.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\j9hFns5gG74O.huw	Explorer.EXE
File opened for modification	C:\Windows\system32\i4hGtjRifIMi.sys	Explorer.EXE

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Z0UsZVgOZ5xr.sys	Explorer.EXE
File opened for modification	C:\Program Files\ADo7djj7omV.nrk	Explorer.EXE
File opened for modification	C:\Program Files\IgDIiEgPor8jUK.sys	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\3ddfa690.js	Dwm.exe
File opened for modification	C:\Program Files\99ensGIbrthMvT.lvn	Explorer.EXE
File opened for modification	C:\Program Files (x86)\IsdmI90ZEQ.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\NurGTcC7QC2cJc.rih	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Q2lE0vdXnlxdSh.xaf	Explorer.EXE
File opened for modification	C:\Program Files\Windows Mail\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\4d579034.html	Dwm.exe
File opened for modification	C:\Program Files\BzFeshIGWVcpX.jkj	Explorer.EXE
File opened for modification	C:\Program Files (x86)\HMKWGrEDbkS.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\LRGtVfsNPySO.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\GnJMPZaiMZ6.whq	Explorer.EXE
File opened for modification	C:\Program Files\Windows Mail\4d578b52.html	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\manifest.json	Dwm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\5ccf79d8.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\st7gkoCr9sy.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\QHodVipPzi8J.pkx	Explorer.EXE
File opened for modification	C:\Program Files\33x6EGNwvzqA.sys	Explorer.EXE
File opened for modification	C:\Program Files\aV2MWQdzRUvP9.sys	Explorer.EXE
File opened for modification	C:\Program Files\Euc0cPERsZMk.bqo	Explorer.EXE
File opened for modification	C:\Program Files\Windows Mail\3ddfa2a8.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Mail\5ccf73fc.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Mail\lib\6c475ca6.js	Explorer.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\lib\6c47637c.js	Dwm.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\C5oBnFHBEo.ngo	Explorer.EXE
File opened for modification	C:\Windows\4prb9l4ADV5EM.mnf	Explorer.EXE
File opened for modification	C:\Windows\wEiBYhpay2.vye	Explorer.EXE
File opened for modification	C:\Windows\aAIPHkPwRJVbx.sys	Explorer.EXE
File opened for modification	C:\Windows\err_632.log	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
File created	C:\Windows\CJmAAq6NV.sys	Explorer.EXE
File opened for modification	C:\Windows\CV2QF8I2pH.sys	Explorer.EXE
File opened for modification	C:\Windows\zjer9hk04fo.cry	Explorer.EXE
File opened for modification	C:\Windows\4Is5EWpoD5zar.sys	Explorer.EXE
File opened for modification	C:\Windows\xmqOiaBHeis.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2280	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE
1328	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1328	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Token: SeTcbPrivilege	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Token: SeDebugPrivilege	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Token: SeDebugPrivilege	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Token: SeDebugPrivilege	1328	Explorer.EXE
Token: SeDebugPrivilege	1328	Explorer.EXE
Token: SeDebugPrivilege	1328	Explorer.EXE
Token: SeIncBasePriorityPrivilege	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
Token: SeDebugPrivilege	1328	Explorer.EXE
Token: SeBackupPrivilege	1328	Explorer.EXE
Token: SeDebugPrivilege	1328	Explorer.EXE
Token: SeDebugPrivilege	1268	Dwm.exe
Token: SeBackupPrivilege	1268	Dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1328	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1328	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	3
PID 632 wrote to memory of 1328	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	3
PID 632 wrote to memory of 1328	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	3
PID 632 wrote to memory of 1328	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	3
PID 632 wrote to memory of 1328	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	3
PID 632 wrote to memory of 424	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	25
PID 632 wrote to memory of 424	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	25
PID 632 wrote to memory of 424	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	25
PID 632 wrote to memory of 424	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	25
PID 632 wrote to memory of 424	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	25
PID 632 wrote to memory of 2828	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	32
PID 632 wrote to memory of 2828	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	32
PID 632 wrote to memory of 2828	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	32
PID 632 wrote to memory of 2828	632	ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe	32
PID 2828 wrote to memory of 2280	2828	cmd.exe	34
PID 2828 wrote to memory of 2280	2828	cmd.exe	34
PID 2828 wrote to memory of 2280	2828	cmd.exe	34
PID 2828 wrote to memory of 2280	2828	cmd.exe	34
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11
PID 1328 wrote to memory of 1268	1328	Explorer.EXE	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Local\Temp\ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe
  "C:\Users\Admin\AppData\Local\Temp\ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\ad3f522829029ddeb896d7f6c92132ca6c0715bebd815a69c22cc48c1e187cc2.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
1215ba64edcd9b1a1626ff75b7d8f318

SHA1
82b1ed7ee8dde3a78399d6ffccbd1f85c3f2b9d7

SHA256
da2352c2a4a3251c79f4e358419a5d5271887cd8b79212d16677f33e1378d65b

SHA512
b7e3bc7621c1cd4c4959ce2682d2bcf91306c35116e6e0b91089d3d5c2f282555aac38f6c27d1e9a0d894b6e41a43ac51d3528d1ca0cc010af9f4a3414911727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
1f94d4d280ff409d554abab350d17ef1

SHA1
6df310f84e1b99164310b7324996b71a3cb3fe24

SHA256
047a1f77bd04d3b566fe9f71e653e788ba99ecfa954cd169fde5b70517350a11

SHA512
25e67e76e011e6cb6bfd4654daef6a7c30d67db62006519549b209b3e0f6714437e08ce5ff2f26a8da54e9f0b37482ceb1ad0c2e15ee7cdb4d79347d7e0309fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
1de27fb2aa3e4c249698c34280c118eb

SHA1
45534e7447599f44dff503d39a4d9cd3183a3bf0

SHA256
dc1cc2098e15f279db4cd223647977a8bd0bbf5f83b60478f904c2ef336947a4

SHA512
bd43aa1690c1f52ba47759695ff28303ac1de803f46bdadf09a950235b48ebd246f547afb3536311959d0b914192f4515a720597f270251b0f46c796e397bc14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
5bd07d450e9e7258bc979373427629e7

SHA1
639c0d55399e3a7bee38c15a919658e67fb4affb

SHA256
e807c622c4a131837f89794505c9d12e05fa460cc9130ec0f28d96978b398006

SHA512
1fb5a81d91adbd19cda89680cb8b5e0067f881a1d1bbeeb466d4937dba949f834002835b5d69f39b03ded6a680c577bc5581c265903752e2b1d2317c0d702c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
753df794fcfdfed0684614177c7de6eb

SHA1
ac9de501b25b17478bb426917db8c9117091f357

SHA256
ca700043f615b68295bde86ed226050af8286fb93205c53f6dfa07c1ee09fae1

SHA512
cf8d37458378f9f6382ada6203b82f0f1be5e6f8e4a28606abb4ddca54d2df84e805c78f82a6c679dc22fd795cb50139aba6b1e3940005180e423d019ba251cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca0b93d40d1d92b25392fb88a06f1d9d

SHA1
bb0f74808210330af8e4b65ce916b2b863142320

SHA256
01d62e64aa579fa659eab4e0027d245c0e6cf1a75fe47f6fa6deb9c3c72126af

SHA512
f422281ab829f122548232319f1afb5a7dd90dd933b48c143caad810f137efe2a366177687a01be64d0e44efe8d07b3543e06150f36226ab610ede7ada0e14a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1074612ca46c9ca5cee4ceec07e0b39e

SHA1
5b49e0ff925310f25236f4cce965f11bf6a270a2

SHA256
1a87f1794cafd981eaede63752d51e5bf3f2838b7ed3daf97c4c983593f4a2a4

SHA512
48d57195fa22d12aafe9300b7612472078e7275089711843b2cfcb9732da7c21f3f837d3f69c56b8b79f2e4b0f0e91cf743846780d6b875f5f7b5b48483661e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
45f8ec185c08863407135af88085c2b1

SHA1
dd46f794dd906d44933822345b7aab1101338fd4

SHA256
5cd053082a10ad217592ef26b5c191f054c41d3cfd8c9c1d2346988e0fa7ea0a

SHA512
0182c9783dfbdd452d06c85e98f587d9473a5d8bcb54a5eb36985970cb7078247ef7c77ee0c530eb10cc52a6440bc9e9eebcccc314e6ef5bb0cae330a80b8794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
7e6b38d2187ef438220f5dc18921c694

SHA1
55eb9f79f49b04579b438e8e32a20ce8946296c8

SHA256
39b7992fb504ffa8cca2f3ece8d1213eaff8f8e6516a2574ed729ad02ae3c9c3

SHA512
bdbdcb4d9ec8da0bc161ac237f2562a3862555bfba78eda27f5171151ad87edc82d44c917629f984ead9e99b43b5ee9d1d26fa2b78c164ea27229843ba44e114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70A.tmp

Filesize
163KB

MD5
19399ab248018076e27957e772bcfbab

SHA1
faef897e02d9501146beb49f75da1caf12967b88

SHA256
326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9

SHA512
6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

Download Submit
C:\Windows\4Is5EWpoD5zar.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\CV2QF8I2pH.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\aAIPHkPwRJVbx.sys

Filesize
415KB

MD5
d1e01b9596f7599331509acf3bda7d5c

SHA1
1ec9b7d6f4b07740a74f1682f64c7b3f97f68527

SHA256
1cc0bda1a5c87760b63b778449597e47ad519dd4e8bbffc89ebcdffe2fe4f2cb

SHA512
d14a4146f1aa8097e8cb2ae0e56a39c125abb68435599a44a40e55640d6647bd7e17c27e05addb67e7ea09e0dd0d6a21da9dbb1368321124fdbaf26ad82da0fc

Download Submit
C:\Windows\xmqOiaBHeis.sys

Filesize
447KB

MD5
61578ec7e93f6b8b33a0f344bd74c87c

SHA1
52b3679310fbf8d874ef7bea8af6bcc82b903151

SHA256
59e51751ccf8c91f31526ac6090cf0b443d4a4dd46adebc41f9cf7f43687f72c

SHA512
c560251e3b3d8a4622bc5a2543897481550439676b69c7f73d6f718ca9fb14bed33793b0b2c283b066748529fe90afc0be569218b819b460cd96b5e4c79134a0

Download Submit
memory/424-86-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/424-145-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/632-88-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/632-144-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/632-0-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/632-82-0x00000000008D0000-0x000000000095C000-memory.dmp

Filesize
560KB

Download
memory/1268-288-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/1268-278-0x0000000001E50000-0x0000000001EFA000-memory.dmp

Filesize
680KB

Download
memory/1268-283-0x0000000001BE0000-0x0000000001BE3000-memory.dmp

Filesize
12KB

Download
memory/1268-285-0x0000000001BE0000-0x0000000001BE3000-memory.dmp

Filesize
12KB

Download
memory/1268-286-0x0000000001BE0000-0x0000000001BE3000-memory.dmp

Filesize
12KB

Download
memory/1268-287-0x0000000001FB0000-0x000000000205F000-memory.dmp

Filesize
700KB

Download
memory/1268-290-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/1268-292-0x0000000001FB0000-0x000000000205F000-memory.dmp

Filesize
700KB

Download
memory/1328-152-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1328-153-0x0000000009080000-0x000000000912F000-memory.dmp

Filesize
700KB

Download
memory/1328-150-0x0000000009080000-0x000000000912F000-memory.dmp

Filesize
700KB

Download
memory/1328-149-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1328-148-0x000007FF1A730000-0x000007FF1A73A000-memory.dmp

Filesize
40KB

Download
memory/1328-147-0x000007FEF5F30000-0x000007FEF6073000-memory.dmp

Filesize
1.3MB

Download
memory/1328-271-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1328-272-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1328-275-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/1328-276-0x0000000009080000-0x000000000912F000-memory.dmp

Filesize
700KB

Download
memory/1328-277-0x0000000009080000-0x000000000912F000-memory.dmp

Filesize
700KB

Download
memory/1328-146-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/1328-130-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download
memory/1328-129-0x00000000070A0000-0x0000000007151000-memory.dmp

Filesize
708KB

Download
memory/1328-127-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/1328-83-0x000007FEBF210000-0x000007FEBF220000-memory.dmp

Filesize
64KB

Download
memory/1328-80-0x00000000070A0000-0x0000000007151000-memory.dmp

Filesize
708KB

Download
memory/1328-289-0x0000000009130000-0x0000000009134000-memory.dmp

Filesize
16KB

Download
memory/1328-79-0x00000000025D0000-0x00000000025D3000-memory.dmp

Filesize
12KB

Download
memory/1328-291-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/1328-77-0x00000000025D0000-0x00000000025D3000-memory.dmp

Filesize
12KB

Download