ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05/10/2023, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Size

274KB
MD5

39bd4507e22dd521757969971a05a33b
SHA1

1183e86495850692d5f012eb0181e9fc0acf2eae
SHA256

ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a
SHA512

b926ee636e3f85d170fec75549faf615f6218e4d2c3e87e38faa5707a020ee69b821a2557d88860d5f9604c9580d0cb4d155a5e986795a9488960244be5b5996
SSDEEP

6144:bbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:bPcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\OiRuo3s.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\3IVhvhMDvvFzS.szo	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\yrukKJcdL4.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\mmqSK02Wwz4eNX.rzf	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\EW1sVudYpQR.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\g66sotDwnId.wlm	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\GBQJMwkZwb.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\PHAdO4udNiDg.ukk	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\kS1oSlU7JvX.sys	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1704-65-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1704-71-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1704-176-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1704-612-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1704-642-0x0000000000040000-0x00000000000CC000-memory.dmp	upx
behavioral1/memory/1204-654-0x0000000000900000-0x0000000000928000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a000000016d5d-672.dat	vmprotect
behavioral1/files/0x0018000000016d5d-700.dat	vmprotect
behavioral1/files/0x0026000000016d5d-728.dat	vmprotect
behavioral1/files/0x0034000000016d5d-756.dat	vmprotect

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\ARS7jg5.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\8xvf6wCl8bMj2.ror	Explorer.EXE
File opened for modification	C:\Windows\system32\y0UL5D04kU.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\V6dJOKC4lZXJ.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\D28Ds7E5CP7.ueg	Explorer.EXE
File opened for modification	C:\Windows\system32\8gKGV2lfjL.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\2af5d3Sdpk.vop	Explorer.EXE
File opened for modification	C:\Windows\system32\8tECLJ363Cm6gh.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\wYu1qo2Atd.rad	Explorer.EXE

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\l8wMosykhhV.sfo	Explorer.EXE
File opened for modification	C:\Program Files\yWj2Mzq8hdoU5p.sys	Explorer.EXE
File opened for modification	C:\Program Files\ZhbqkVnAMTTNH.ogq	Explorer.EXE
File opened for modification	C:\Program Files (x86)\OYQS9fFBXOo.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\LwSb269qSa6J.luh	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\3ddf8e6c.js	Explorer.EXE
File opened for modification	C:\Program Files\7-Zip\manifest.json	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\5ccf5e6c.js	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\lib\6c47437e.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\l845N54s0lc.hnp	Explorer.EXE
File opened for modification	C:\Program Files (x86)\vrG2NS5xyp9o.sys	Explorer.EXE
File opened for modification	C:\Program Files\Scq2zuzTL182.sys	Explorer.EXE
File opened for modification	C:\Program Files\SKZn9G44hFS1.vvf	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\4d577207.html	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\lib\6c47393d.js	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\oFwTFRowFh4sVB.sys	Explorer.EXE
File opened for modification	C:\Program Files\PQHll7EcwgXFv.goo	Explorer.EXE
File opened for modification	C:\Program Files (x86)\sQIMP78LRVqS.sys	Explorer.EXE
File opened for modification	C:\Program Files\edBpCuOrlfd5Z.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\oObQJzdZFP.qls	Explorer.EXE
File opened for modification	C:\Program Files (x86)\LQz0HYVYIbRCA.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\wro3GeT7zWQSoR.nzr	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\5ccf55a2.js	Explorer.EXE
File opened for modification	C:\Program Files\7-Zip\3ddf9448.js	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\4d57795a.html	Dwm.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\QvQvwKJIvgpSO.sys	Explorer.EXE
File opened for modification	C:\Windows\1lZQxyMKG7JshJ.mvd	Explorer.EXE
File opened for modification	C:\Windows\UxdYf80KhZ5O53.sys	Explorer.EXE
File opened for modification	C:\Windows\err_1704.log	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
File created	C:\Windows\8IQujk.sys	Explorer.EXE
File opened for modification	C:\Windows\PtEd4JbnJ1n.gxm	Explorer.EXE
File opened for modification	C:\Windows\zVBeWu7raVs4.sys	Explorer.EXE
File opened for modification	C:\Windows\EXpWQE21N5hpP.jab	Explorer.EXE
File opened for modification	C:\Windows\vX0h9daHJyat68.sys	Explorer.EXE
File opened for modification	C:\Windows\zk3HM3PvW73.sat	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2196	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Token: SeTcbPrivilege	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Token: SeDebugPrivilege	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Token: SeDebugPrivilege	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeBackupPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1204	Explorer.EXE
Token: SeDebugPrivilege	1176	Dwm.exe
Token: SeBackupPrivilege	1176	Dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1204	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	17
PID 1704 wrote to memory of 1204	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	17
PID 1704 wrote to memory of 1204	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	17
PID 1704 wrote to memory of 1204	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	17
PID 1704 wrote to memory of 1204	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	17
PID 1704 wrote to memory of 424	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	3
PID 1704 wrote to memory of 424	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	3
PID 1704 wrote to memory of 424	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	3
PID 1704 wrote to memory of 424	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	3
PID 1704 wrote to memory of 424	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	3
PID 1704 wrote to memory of 2388	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	32
PID 1704 wrote to memory of 2388	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	32
PID 1704 wrote to memory of 2388	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	32
PID 1704 wrote to memory of 2388	1704	ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe	32
PID 2388 wrote to memory of 2196	2388	cmd.exe	34
PID 2388 wrote to memory of 2196	2388	cmd.exe	34
PID 2388 wrote to memory of 2196	2388	cmd.exe	34
PID 2388 wrote to memory of 2196	2388	cmd.exe	34
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11
PID 1204 wrote to memory of 1176	1204	Explorer.EXE	11

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe
  "C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\ed474e7b1ad893ca2698eb2644e8d4184a4e429b98eeff59d04f1950f502f85a.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
20a6c9ee4e457267adf58889fb1dd617

SHA1
6cb2beebd527ed5f77a13228f93eec7af88b822e

SHA256
45be093d2a1d3beb6db08a3e71cfba063736edd92a18302cf5f6fefc13bfab3b

SHA512
d4ff64a5b7af4119c739e605a1dc7710175090ae8363b2e73976bea8555e07e63380255a534b3389e61a3e7e6a1cc67b969e2f912d6978e45d39243455114e28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
2a61a3d0f5beb7727441b0e010c30d7d

SHA1
2dc8b67f13196d3a658d79c9c575bf0a0b75da15

SHA256
8f97e861acd3950fde5361476dd989039edff251a00b7de4df84cbacfa629a0d

SHA512
d29a461cd7c4746015684c9213a72748d5440191b4b9f07209723e0b8e2b59f11cafe4b87acd123d2987ed1990d3204402f69b7f78f8607782c441efb307a12a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
1cf46555b125f8cc867f47959d154a8f

SHA1
bb50ee9a070c5aa2c6eb8787d3cc2493f898a67e

SHA256
6229116ce9e3c490303c8c3e136280af7f790b1f89a3e908587e4152783c5b73

SHA512
cfdaa0fa8a2cf07483c07a4f9da5bf3b78a49bfc209505b674264ceafb7c08a78249dabd7114f366123b5a1fa227f8ddbabf4dfe903573bd4e539c5102f4f6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
966a384457c69ab845c7c38da502d2d7

SHA1
a1dabf3f75a84bd1fee6396393f27995f120fdaa

SHA256
a33699c91a485a476b6bec853814fb77188d178de7f40a991cbe7bb3f0713942

SHA512
6f7d7d8e6854e34aad116d06949e03e7b29a975b7a426873a204d8cb4eed1d4f301012b825dc5f6918ed011cb1f355ee663ae31d5d1e9013beb3c39aac16a5d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcb2c41f68200f489c6ee8f7ccbb8065

SHA1
34dbe7a5acfb7324118e8028e390d144d0ba9e2e

SHA256
88ea5c946f5da95b6d170aa61cf58d2db97b7781fd91bfc1640f107baba804fc

SHA512
27370dc098bd7ffebe2d294a8a2c84595cb5256c276dff4f59fb22641988d7726d85ffde15fe17406db750435de1d295254f0cae2d9974a24673132eb208f421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd3461e08bbf508db09e2c2f141569f3

SHA1
869b80ffdc9886092a2fc60de8be8a8aa73f7db1

SHA256
56c64a3a1423ab359d9bd35a5d7441472e23dc63e1f456fa694e7ce4c3567093

SHA512
9a575301a78f95d54e4ac7c5d8dc2bf2264ec8e5b206ffae372eedf5e0bedfd71c78f5980e97aa1a0099be396919261e194f12604fbebc802175b137280b0cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3c64e68c1d89f1bddd63c4a5ae60416b

SHA1
2b4e74de304eae9d4f43916468361aa78c3d4854

SHA256
3580a584a0ce6a1c860e06ee58d294a58627d87c80b641a6cf67961844ec3619

SHA512
5438452869779053e3796200595cb46d9962e5c4ae59e8b9c19d8b0b80fec83fb92f307196ae84f7689c704200d913478aae1550e136ffdff90a6f9a81657018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2658588805d0d0fb188cd6eab60a512c

SHA1
3126e1dded133f62689b9824dcdb068a6f4420c7

SHA256
a2fbc1bc1074c7434d253828015776933069438156fb539378871667031855b3

SHA512
9c6822bf6efa436d4e248bd54f96c6df014c7c9f394529c8703577dcb8642a8b2e6f7079e76203214cc8f5d545eeb5564d365aade229c4b36d57696e46365c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
e858e5d8a272ba5a0d338ad8b8ed0d04

SHA1
6e420331c575328e1c23f254fb356503285225ab

SHA256
97d406b51507e36324517cd7f6deed0968e26eb4afca256471ca550d6029aaa2

SHA512
a445562f078ce8fae7940cd11f484286fcab5d02aba0bcf4b0e51fce97493441fbf0e2df3559f4a97155334ac9c2d907780596bd21cfc6c8cb9c82664ecd6810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46C2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A1F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\QvQvwKJIvgpSO.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\UxdYf80KhZ5O53.sys

Filesize
415KB

MD5
22e7b588ff654751bae0f093d8200feb

SHA1
e8980d787b2b7b8deeeffe40019fcf905121a535

SHA256
f7e4432bab66fdd4dbd7cc153400036d092055a4a986cd6582419290e34b5700

SHA512
0f90cd23c5411668fb32fa1bc7c9bcb2f0049efec63f437d6ec6a05ccea257e135f61ca262514c068acd1bb1e352b89f58c0dcd2e624c574598f376c4fb92ac5

Download Submit
C:\Windows\vX0h9daHJyat68.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\zVBeWu7raVs4.sys

Filesize
447KB

MD5
3f782ba70701902c1fa7363c7543c236

SHA1
673f7415784348b3e896bc4dbc9e18c69956d650

SHA256
1ae8d02d7a392324af01091e0707fb8a5bc4e7dfe5cc4f6e308aef3ccbfd62b3

SHA512
23f3e6a5b651c8cf566fc4d2de4c3f1a4f91ef6bcdc19fcc1b05eb9b0b880e7e51ce1dbddc89efb0523923390adecfce4c87494497b27bdf89905928215c72ee

Download Submit
memory/424-598-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/424-596-0x0000000000860000-0x0000000000863000-memory.dmp

Filesize
12KB

Download
memory/424-656-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/1176-812-0x0000000002050000-0x00000000020FF000-memory.dmp

Filesize
700KB

Download
memory/1176-808-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1176-805-0x0000000002050000-0x00000000020FF000-memory.dmp

Filesize
700KB

Download
memory/1176-803-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1176-802-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1176-801-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1176-797-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1176-789-0x0000000001FA0000-0x000000000204A000-memory.dmp

Filesize
680KB

Download
memory/1204-661-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-787-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-664-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-663-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/1204-594-0x0000000006970000-0x0000000006A21000-memory.dmp

Filesize
708KB

Download
memory/1204-660-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/1204-592-0x0000000002C10000-0x0000000002C13000-memory.dmp

Filesize
12KB

Download
memory/1204-593-0x000007FEBD810000-0x000007FEBD820000-memory.dmp

Filesize
64KB

Download
memory/1204-590-0x0000000006970000-0x0000000006A21000-memory.dmp

Filesize
708KB

Download
memory/1204-589-0x0000000002C10000-0x0000000002C13000-memory.dmp

Filesize
12KB

Download
memory/1204-587-0x0000000002C10000-0x0000000002C13000-memory.dmp

Filesize
12KB

Download
memory/1204-811-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-810-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-809-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-782-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-785-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-786-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-807-0x0000000004E70000-0x0000000004E74000-memory.dmp

Filesize
16KB

Download
memory/1204-790-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-791-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-659-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/1204-788-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-658-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/1204-657-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/1204-655-0x0000000006970000-0x0000000006A21000-memory.dmp

Filesize
708KB

Download
memory/1204-654-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/1204-804-0x0000000004D00000-0x0000000004DAF000-memory.dmp

Filesize
700KB

Download
memory/1204-652-0x00000000371A0000-0x00000000371B0000-memory.dmp

Filesize
64KB

Download
memory/1204-806-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/1704-612-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download
memory/1704-642-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download
memory/1704-65-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download
memory/1704-71-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download
memory/1704-176-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download
memory/1704-0-0x0000000000040000-0x00000000000CC000-memory.dmp

Filesize
560KB

Download