2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
Size

1.1MB
MD5

d5fc28331a65ffe0aa7aa890bef964ab
SHA1

e78035e69dfd105195d3e0cce2ded119b75e3661
SHA256

2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584
SHA512

27ae56969317d5bd09a873cb07731684109a73d09d755cafc8b0d915245c057fe94730acd1066983547738eca0ee82dd3f583fdfcf592fb26d26646bf7cadcb4
SSDEEP

6144:dl51orRJXlDixHkUXe34cEOkCybEaQRXr9HNdvOa51BgVWWStmyyye/:bqXUHkUXe3GOkx2LIazBg0tmyyyI

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3204 created 608	3204	Explorer.EXE	5

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\OFnWOu.sys	pcalua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe

Executes dropped EXE 2 IoCs

pid	Process
1556	4df8a253
4116	pcalua.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3008-0-0x0000000000270000-0x00000000002F9000-memory.dmp	upx
behavioral2/files/0x000700000002308b-2.dat	upx
behavioral2/memory/1556-3-0x0000000000E10000-0x0000000000E99000-memory.dmp	upx
behavioral2/files/0x000700000002308b-4.dat	upx
behavioral2/memory/3008-8-0x0000000000270000-0x00000000002F9000-memory.dmp	upx
behavioral2/memory/1556-14-0x0000000000E10000-0x0000000000E99000-memory.dmp	upx
behavioral2/memory/1556-16-0x0000000000E10000-0x0000000000E99000-memory.dmp	upx
behavioral2/memory/3008-39-0x0000000000270000-0x00000000002F9000-memory.dmp	upx
behavioral2/memory/1556-70-0x0000000000E10000-0x0000000000E99000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	pcalua.exe
File created	C:\Windows\system32\ \Windows\System32\7K55zDsRP.sys	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	4df8a253
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	pcalua.exe
File created	C:\Windows\SysWOW64\4df8a253	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	4df8a253
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	pcalua.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	4df8a253
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	4df8a253
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	4df8a253
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	4df8a253
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	pcalua.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	pcalua.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\pcalua.exe	Explorer.EXE
File opened for modification	C:\Program Files\Common Files\pcalua.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1aa3a8	4df8a253
File created	C:\Windows\YrlBWp3S.sys	pcalua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	pcalua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	pcalua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	pcalua.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3612	timeout.exe
3652	timeout.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	4df8a253
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	4df8a253
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	4df8a253
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	4df8a253
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	4df8a253
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	pcalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pcalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	pcalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	pcalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	4df8a253
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	4df8a253
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	pcalua.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	pcalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	pcalua.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	pcalua.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	4df8a253
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	4df8a253
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	pcalua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
1556	4df8a253
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
3204	Explorer.EXE
1556	4df8a253
1556	4df8a253
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe
4116	pcalua.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3204	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
Token: SeTcbPrivilege	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
Token: SeDebugPrivilege	1556	4df8a253
Token: SeTcbPrivilege	1556	4df8a253
Token: SeDebugPrivilege	1556	4df8a253
Token: SeDebugPrivilege	3204	Explorer.EXE
Token: SeDebugPrivilege	3204	Explorer.EXE
Token: SeIncBasePriorityPrivilege	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
Token: SeDebugPrivilege	1556	4df8a253
Token: SeDebugPrivilege	4116	pcalua.exe
Token: SeDebugPrivilege	4116	pcalua.exe
Token: SeDebugPrivilege	4116	pcalua.exe
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1556	4df8a253
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE
Token: SeShutdownPrivilege	3204	Explorer.EXE
Token: SeCreatePagefilePrivilege	3204	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3204	Explorer.EXE
3204	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3204	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3204	1556	4df8a253	46
PID 1556 wrote to memory of 3204	1556	4df8a253	46
PID 1556 wrote to memory of 3204	1556	4df8a253	46
PID 1556 wrote to memory of 3204	1556	4df8a253	46
PID 1556 wrote to memory of 3204	1556	4df8a253	46
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 3204 wrote to memory of 4116	3204	Explorer.EXE	89
PID 1556 wrote to memory of 608	1556	4df8a253	5
PID 1556 wrote to memory of 608	1556	4df8a253	5
PID 1556 wrote to memory of 608	1556	4df8a253	5
PID 1556 wrote to memory of 608	1556	4df8a253	5
PID 1556 wrote to memory of 608	1556	4df8a253	5
PID 3008 wrote to memory of 4388	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe	93
PID 3008 wrote to memory of 4388	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe	93
PID 3008 wrote to memory of 4388	3008	2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe	93
PID 4388 wrote to memory of 3652	4388	cmd.exe	96
PID 4388 wrote to memory of 3652	4388	cmd.exe	96
PID 4388 wrote to memory of 3652	4388	cmd.exe	96
PID 1556 wrote to memory of 3340	1556	4df8a253	98
PID 1556 wrote to memory of 3340	1556	4df8a253	98
PID 1556 wrote to memory of 3340	1556	4df8a253	98
PID 3340 wrote to memory of 3612	3340	cmd.exe	100
PID 3340 wrote to memory of 3612	3340	cmd.exe	100
PID 3340 wrote to memory of 3612	3340	cmd.exe	100

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Program Files\Common Files\pcalua.exe
  "C:\Program Files\Common Files\pcalua.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe
  "C:\Users\Admin\AppData\Local\Temp\2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2e07e1dde020eee00a69fbb959fc5620a3e08c63f48b74d9270b4aa4a5f93584.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3652

C:\Windows\Syswow64\4df8a253
C:\Windows\Syswow64\4df8a253
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\4df8a253"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\pcalua.exe

Filesize
52KB

MD5
5f7cde105e9679ff88b3b6a3dcd129db

SHA1
b9193c196201b9411bb917122f93e19238caa1bb

SHA256
1d528a686a583162794349114f945a8bd2b17321f6fa62288cd1ce3ec48d2447

SHA512
66a606a5d2ce3e19f06c0fe5b842d9c51ac1e9b02c49655c3cb5280dc27e192cd256f4f40ba4fc5dead026524626f1242acf79c434e74a2f54e5770ffd0b9ffe

Download Submit
C:\Program Files\Common Files\pcalua.exe

Filesize
52KB

MD5
5f7cde105e9679ff88b3b6a3dcd129db

SHA1
b9193c196201b9411bb917122f93e19238caa1bb

SHA256
1d528a686a583162794349114f945a8bd2b17321f6fa62288cd1ce3ec48d2447

SHA512
66a606a5d2ce3e19f06c0fe5b842d9c51ac1e9b02c49655c3cb5280dc27e192cd256f4f40ba4fc5dead026524626f1242acf79c434e74a2f54e5770ffd0b9ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\835a42b1.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\Windows\SysWOW64\4df8a253

Filesize
1.1MB

MD5
05caec7786401f365cd4d49905ee89f9

SHA1
4bcdc88a39d697ae0ef204123f09566f9ab6f860

SHA256
bfd7fab58ad84d366775a519fc26b17ca00bcc79542066d837c4ed837a625f20

SHA512
af812fa23feb1b049b96f44563b97b3067248785d4c02717500b1e684fb82b7aa6c5bf690111f8eb684d3912992e577c6aea6a3089745507f5c034a14ad8c5f8

Download Submit
C:\Windows\SysWOW64\4df8a253

Filesize
1.1MB

MD5
05caec7786401f365cd4d49905ee89f9

SHA1
4bcdc88a39d697ae0ef204123f09566f9ab6f860

SHA256
bfd7fab58ad84d366775a519fc26b17ca00bcc79542066d837c4ed837a625f20

SHA512
af812fa23feb1b049b96f44563b97b3067248785d4c02717500b1e684fb82b7aa6c5bf690111f8eb684d3912992e577c6aea6a3089745507f5c034a14ad8c5f8

Download Submit
memory/608-79-0x000002E9EE600000-0x000002E9EE601000-memory.dmp

Filesize
4KB

Download
memory/608-29-0x000002E9EE5B0000-0x000002E9EE5B3000-memory.dmp

Filesize
12KB

Download
memory/608-32-0x000002E9EE600000-0x000002E9EE601000-memory.dmp

Filesize
4KB

Download
memory/608-73-0x000002E9EE5C0000-0x000002E9EE5E8000-memory.dmp

Filesize
160KB

Download
memory/608-31-0x000002E9EE5C0000-0x000002E9EE5E8000-memory.dmp

Filesize
160KB

Download
memory/1556-16-0x0000000000E10000-0x0000000000E99000-memory.dmp

Filesize
548KB

Download
memory/1556-14-0x0000000000E10000-0x0000000000E99000-memory.dmp

Filesize
548KB

Download
memory/1556-70-0x0000000000E10000-0x0000000000E99000-memory.dmp

Filesize
548KB

Download
memory/1556-3-0x0000000000E10000-0x0000000000E99000-memory.dmp

Filesize
548KB

Download
memory/3008-0-0x0000000000270000-0x00000000002F9000-memory.dmp

Filesize
548KB

Download
memory/3008-39-0x0000000000270000-0x00000000002F9000-memory.dmp

Filesize
548KB

Download
memory/3008-8-0x0000000000270000-0x00000000002F9000-memory.dmp

Filesize
548KB

Download
memory/3204-102-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-158-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3204-212-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-47-0x0000000008E00000-0x0000000008E01000-memory.dmp

Filesize
4KB

Download
memory/3204-48-0x00000000093E0000-0x00000000094D9000-memory.dmp

Filesize
996KB

Download
memory/3204-210-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-208-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-206-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-195-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-192-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-72-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-185-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-76-0x0000000008DD0000-0x0000000008DE0000-memory.dmp

Filesize
64KB

Download
memory/3204-75-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-74-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-77-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-18-0x00000000093E0000-0x00000000094D9000-memory.dmp

Filesize
996KB

Download
memory/3204-78-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-80-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-81-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-83-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-85-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-86-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-183-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-88-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-89-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-90-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-92-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-94-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-95-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-96-0x0000000008DD0000-0x0000000008DE0000-memory.dmp

Filesize
64KB

Download
memory/3204-97-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-99-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-101-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-105-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-103-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-104-0x0000000008E00000-0x0000000008E10000-memory.dmp

Filesize
64KB

Download
memory/3204-17-0x0000000008E00000-0x0000000008E01000-memory.dmp

Filesize
4KB

Download
memory/3204-100-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-98-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-106-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-181-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-178-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-175-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-174-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-169-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3204-112-0x0000000008E00000-0x0000000008E10000-memory.dmp

Filesize
64KB

Download
memory/3204-170-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-168-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-167-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-165-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3204-166-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-164-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-15-0x00000000036E0000-0x00000000036E3000-memory.dmp

Filesize
12KB

Download
memory/3204-163-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-12-0x00000000036E0000-0x00000000036E3000-memory.dmp

Filesize
12KB

Download
memory/3204-144-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-145-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3204-143-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-142-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-147-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-146-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-149-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-153-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-154-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-151-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-148-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-155-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3204-156-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-157-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-161-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-159-0x0000000008DC0000-0x0000000008DD0000-memory.dmp

Filesize
64KB

Download
memory/4116-109-0x00000249B4AF0000-0x00000249B4AF1000-memory.dmp

Filesize
4KB

Download
memory/4116-108-0x00000249B4AE0000-0x00000249B4AE1000-memory.dmp

Filesize
4KB

Download
memory/4116-118-0x00000249B4AF0000-0x00000249B4AF1000-memory.dmp

Filesize
4KB

Download
memory/4116-117-0x00000249B53C0000-0x00000249B53C1000-memory.dmp

Filesize
4KB

Download
memory/4116-116-0x00000249B53C0000-0x00000249B53C1000-memory.dmp

Filesize
4KB

Download
memory/4116-115-0x00000249B4AE0000-0x00000249B4AE1000-memory.dmp

Filesize
4KB

Download
memory/4116-114-0x00000249B52A0000-0x00000249B52A2000-memory.dmp

Filesize
8KB

Download
memory/4116-113-0x00000249B5470000-0x00000249B5635000-memory.dmp

Filesize
1.8MB

Download
memory/4116-111-0x00000249B4AE0000-0x00000249B4AE1000-memory.dmp

Filesize
4KB

Download
memory/4116-110-0x00000249B4AE0000-0x00000249B4AE1000-memory.dmp

Filesize
4KB

Download
memory/4116-120-0x00000249B5470000-0x00000249B5635000-memory.dmp

Filesize
1.8MB

Download
memory/4116-107-0x00000249B4AE0000-0x00000249B4AE1000-memory.dmp

Filesize
4KB

Download
memory/4116-27-0x00000249B2A70000-0x00000249B2A80000-memory.dmp

Filesize
64KB

Download
memory/4116-87-0x00000249B4AD0000-0x00000249B4AD1000-memory.dmp

Filesize
4KB

Download
memory/4116-25-0x00000249B4370000-0x00000249B443B000-memory.dmp

Filesize
812KB

Download
memory/4116-71-0x00000249B2A70000-0x00000249B2A80000-memory.dmp

Filesize
64KB

Download
memory/4116-23-0x00000249B4370000-0x00000249B443B000-memory.dmp

Filesize
812KB

Download
memory/4116-66-0x00000249B4AD0000-0x00000249B4AD1000-memory.dmp

Filesize
4KB

Download
memory/4116-65-0x00000249B4370000-0x00000249B443B000-memory.dmp

Filesize
812KB

Download
memory/4116-64-0x00007FFCE1570000-0x00007FFCE1580000-memory.dmp

Filesize
64KB

Download
memory/4116-26-0x00007FFCE1570000-0x00007FFCE1580000-memory.dmp

Filesize
64KB

Download