d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762

Analysis

max time kernel
179s
max time network
198s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Size

536KB
MD5

46fd8fc7865ac89b6bfe276b104d87d6
SHA1

af73c435c1927659c6856e3c5fcf4a74ccd92a07
SHA256

d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762
SHA512

d28cf792001190166e7687fcdc3455941b6883f73da61524ee826107edd2531ef086a8021e47a4273170b49bedefd00b68af698da847bcc62d5fbbf5b2ffb121
SSDEEP

12288:8hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:8dQyDLzJTveuK0/Okx2LF

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1244 created 420	1244	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Pcu81uMoY.sys	where.exe

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	where.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1684-0-0x00000000009A0000-0x0000000000AA2000-memory.dmp	upx
behavioral1/memory/1684-7-0x00000000009A0000-0x0000000000AA2000-memory.dmp	upx
behavioral1/memory/1684-82-0x00000000009A0000-0x0000000000AA2000-memory.dmp	upx
behavioral1/memory/2552-140-0x0000000000770000-0x0000000000798000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BA79029EC3FFD076F5DAC2F70A18685	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	where.exe
File created	C:\Windows\system32\ \Windows\System32\41ol8xX.sys	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BA79029EC3FFD076F5DAC2F70A18685	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	where.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	where.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1cd4a8	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
File created	C:\Windows\Yk4soTSFG.sys	where.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2840	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}	where.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}\WpadNetworkName = "Network 2"	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	where.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	where.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}\WpadDecisionTime = 80607c99c3fbd901	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	where.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-17-be-3e-b2-ac\WpadDecisionTime = 80607c99c3fbd901	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	where.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-17-be-3e-b2-ac	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}\7a-17-be-3e-b2-ac	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-17-be-3e-b2-ac\WpadDecision = "0"	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}\WpadDecision = "0"	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C086FE60-DC2E-42BF-8C42-0FDD61C723A6}\WpadDecisionReason = "1"	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	where.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	where.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	where.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	where.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	where.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	where.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	where.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	where.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	where.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe
2552	where.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeTcbPrivilege	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeTcbPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	2552	where.exe
Token: SeDebugPrivilege	2552	where.exe
Token: SeDebugPrivilege	2552	where.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1244	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	10
PID 1684 wrote to memory of 1244	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	10
PID 1684 wrote to memory of 1244	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	10
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2552	1244	Explorer.EXE	30
PID 1244 wrote to memory of 420	1244	Explorer.EXE	3
PID 1244 wrote to memory of 420	1244	Explorer.EXE	3
PID 1244 wrote to memory of 420	1244	Explorer.EXE	3
PID 1244 wrote to memory of 420	1244	Explorer.EXE	3
PID 1244 wrote to memory of 420	1244	Explorer.EXE	3
PID 1684 wrote to memory of 1388	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	33
PID 1684 wrote to memory of 1388	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	33
PID 1684 wrote to memory of 1388	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	33
PID 1684 wrote to memory of 1388	1684	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	33
PID 1388 wrote to memory of 2840	1388	cmd.exe	35
PID 1388 wrote to memory of 2840	1388	cmd.exe	35
PID 1388 wrote to memory of 2840	1388	cmd.exe	35
PID 1388 wrote to memory of 2840	1388	cmd.exe	35

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\where.exe
  "C:\where.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
  "C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFBC.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC23B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1b2e9de.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\where.exe

Filesize
42KB

MD5
8a03bc988d8f0b24f309574271a054bf

SHA1
2d63d9ce527da2a0aaa0b9fa77d71e3af9674a9a

SHA256
ae240f4f289ff89d5a9a659bfc856339268f9e52275cd46a6176616d553bddee

SHA512
1c4f9a6aead16dfda13bd121a4cf5b8f738b32375eb6c33070eb83f74ef552c78998f9a56de748d0fcea9e112fcbc8557f719952ea012287160ba42c68cd8436

Download Submit
memory/420-77-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/420-76-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/420-74-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/420-62-0x0000000000740000-0x0000000000761000-memory.dmp

Filesize
132KB

Download
memory/1244-39-0x00000000090B0000-0x00000000091A9000-memory.dmp

Filesize
996KB

Download
memory/1244-56-0x00000000090B0000-0x00000000091A9000-memory.dmp

Filesize
996KB

Download
memory/1244-38-0x00000000090B0000-0x00000000091A9000-memory.dmp

Filesize
996KB

Download
memory/1244-25-0x0000000008880000-0x0000000008974000-memory.dmp

Filesize
976KB

Download
memory/1244-40-0x0000000003FF0000-0x0000000004069000-memory.dmp

Filesize
484KB

Download
memory/1244-4-0x0000000003FF0000-0x0000000004069000-memory.dmp

Filesize
484KB

Download
memory/1244-33-0x0000000003DA0000-0x0000000003DA3000-memory.dmp

Filesize
12KB

Download
memory/1244-5-0x0000000002AC0000-0x0000000002AC3000-memory.dmp

Filesize
12KB

Download
memory/1244-36-0x0000000003DA0000-0x0000000003DA3000-memory.dmp

Filesize
12KB

Download
memory/1244-3-0x0000000002AC0000-0x0000000002AC3000-memory.dmp

Filesize
12KB

Download
memory/1244-27-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/1684-82-0x00000000009A0000-0x0000000000AA2000-memory.dmp

Filesize
1.0MB

Download
memory/1684-0-0x00000000009A0000-0x0000000000AA2000-memory.dmp

Filesize
1.0MB

Download
memory/1684-7-0x00000000009A0000-0x0000000000AA2000-memory.dmp

Filesize
1.0MB

Download
memory/2552-129-0x0000000037780000-0x0000000037790000-memory.dmp

Filesize
64KB

Download
memory/2552-138-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2552-81-0x00000000003F0000-0x00000000004BB000-memory.dmp

Filesize
812KB

Download
memory/2552-61-0x000007FEBEB10000-0x000007FEBEB20000-memory.dmp

Filesize
64KB

Download
memory/2552-60-0x00000000003F0000-0x00000000004BB000-memory.dmp

Filesize
812KB

Download
memory/2552-57-0x00000000003F0000-0x00000000004BB000-memory.dmp

Filesize
812KB

Download
memory/2552-131-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-135-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-134-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-136-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-137-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2552-78-0x00000000003F0000-0x00000000004BB000-memory.dmp

Filesize
812KB

Download
memory/2552-139-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2552-140-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-141-0x0000000004220000-0x00000000043E5000-memory.dmp

Filesize
1.8MB

Download
memory/2552-142-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2552-143-0x0000000004220000-0x00000000043E5000-memory.dmp

Filesize
1.8MB

Download
memory/2552-144-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2552-145-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2552-146-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2552-147-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/2552-148-0x0000000004220000-0x00000000043E5000-memory.dmp

Filesize
1.8MB

Download
memory/2552-43-0x0000000000140000-0x0000000000203000-memory.dmp

Filesize
780KB

Download