c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 08:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Size

5.3MB
MD5

54b7b7025ffab6172ba8a06426a4090d
SHA1

a67d18a749661ff91d8f7c34187171e6ecaf375e
SHA256

c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff
SHA512

89852d13503d272109dbe8053bdae3e87c57dda59e743778fa10b2a506892e4aa2f0cdada42228221216723e53489ba4b5915f86cc2312bf60d573eb9d98003e
SSDEEP

98304:diCh3EzxvNmwEpczAqX/zEjy7eFaddXNJz:diCuBzNX/ziyM6fJz

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000016cac-82.dat	acprotect
behavioral1/files/0x000b000000016cac-83.dat	acprotect
behavioral1/files/0x000b000000016cac-85.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
2632	regsvr32.exe
2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-33-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-32-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-34-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-35-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-37-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-39-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-41-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-43-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-45-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-49-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-53-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-55-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-57-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-59-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-61-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-63-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-65-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-67-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-69-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-71-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-73-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-75-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-77-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-79-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-81-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/files/0x000b000000016cac-82.dat	upx
behavioral1/files/0x000b000000016cac-83.dat	upx
behavioral1/memory/2632-84-0x0000000073000000-0x0000000074153000-memory.dmp	upx
behavioral1/files/0x000b000000016cac-85.dat	upx
behavioral1/memory/2200-86-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-87-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-94-0x0000000000A20000-0x0000000000A5E000-memory.dmp	upx
behavioral1/memory/2200-97-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-98-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-99-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-100-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-123-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-125-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx
behavioral1/memory/2200-126-0x0000000071EA0000-0x0000000072FF3000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\lw.dll	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CLSID\ = "{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CurVer\ = "lw.lwsoft3.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\VersionIndependentProgID\ = "lw.lwsoft3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\ = "TSPlugInterFace Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSPlug.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\ = "lwcom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{319E1714-1900-4d95-8900-E95B65A9FDBD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\CLSID\ = "{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\ = "lwcom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib\ = "{71175991-9B59-42EA-B712-9ADF3319AC18}"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib\Version = "1.0"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{900527EB-7D74-41DE-9E3E-80E4B267E0F2}\ = "TSPlug"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TSPlug.DLL\AppID = "{900527EB-7D74-41DE-9E3E-80E4B267E0F2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\ = "TSPlugInterFace Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\InprocServer32\ = "C:\\Windows\\lw.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\TypeLib\ = "{71175991-9B59-42EA-B712-9ADF3319AC18}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib\ = "{525CF7E5-DB36-491F-A91C-2DB86E67126D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CLSID\ = "{BCE4A484-C3BC-418B-B1F6-69D6987C126B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\ProgID\ = "Ts.TsSoft"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ = "ITSPlugInterFace"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{900527EB-7D74-41DE-9E3E-80E4B267E0F2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib\ = "{525CF7E5-DB36-491F-A91C-2DB86E67126D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\HELPDIR\ = "C:\\Windows"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TSPlug.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ = "ITSPlugInterFace"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{319E1714-1900-4d95-8900-E95B65A9FDBD}\TypeLib\version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\ = "Ilwsoft"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\ProgID\ = "lw.lwsoft3.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CurVer\ = "Ts.TsSoft"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\ = "lwcom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib\Version = "1.0"	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	regsvr32.exe
Token: 1	1652	regsvr32.exe
Token: SeCreateTokenPrivilege	1652	regsvr32.exe
Token: SeAssignPrimaryTokenPrivilege	1652	regsvr32.exe
Token: SeLockMemoryPrivilege	1652	regsvr32.exe
Token: SeIncreaseQuotaPrivilege	1652	regsvr32.exe
Token: SeMachineAccountPrivilege	1652	regsvr32.exe
Token: SeTcbPrivilege	1652	regsvr32.exe
Token: SeSecurityPrivilege	1652	regsvr32.exe
Token: SeTakeOwnershipPrivilege	1652	regsvr32.exe
Token: SeLoadDriverPrivilege	1652	regsvr32.exe
Token: SeSystemProfilePrivilege	1652	regsvr32.exe
Token: SeSystemtimePrivilege	1652	regsvr32.exe
Token: SeProfSingleProcessPrivilege	1652	regsvr32.exe
Token: SeIncBasePriorityPrivilege	1652	regsvr32.exe
Token: SeCreatePagefilePrivilege	1652	regsvr32.exe
Token: SeCreatePermanentPrivilege	1652	regsvr32.exe
Token: SeBackupPrivilege	1652	regsvr32.exe
Token: SeRestorePrivilege	1652	regsvr32.exe
Token: SeShutdownPrivilege	1652	regsvr32.exe
Token: SeDebugPrivilege	1652	regsvr32.exe
Token: SeAuditPrivilege	1652	regsvr32.exe
Token: SeSystemEnvironmentPrivilege	1652	regsvr32.exe
Token: SeChangeNotifyPrivilege	1652	regsvr32.exe
Token: SeRemoteShutdownPrivilege	1652	regsvr32.exe
Token: SeUndockPrivilege	1652	regsvr32.exe
Token: SeSyncAgentPrivilege	1652	regsvr32.exe
Token: SeEnableDelegationPrivilege	1652	regsvr32.exe
Token: SeManageVolumePrivilege	1652	regsvr32.exe
Token: SeImpersonatePrivilege	1652	regsvr32.exe
Token: SeCreateGlobalPrivilege	1652	regsvr32.exe
Token: 31	1652	regsvr32.exe
Token: 32	1652	regsvr32.exe
Token: 33	1652	regsvr32.exe
Token: 34	1652	regsvr32.exe
Token: 35	1652	regsvr32.exe
Token: 36	1652	regsvr32.exe
Token: 37	1652	regsvr32.exe
Token: 38	1652	regsvr32.exe
Token: 39	1652	regsvr32.exe
Token: 40	1652	regsvr32.exe
Token: 41	1652	regsvr32.exe
Token: 42	1652	regsvr32.exe
Token: 43	1652	regsvr32.exe
Token: 44	1652	regsvr32.exe
Token: 45	1652	regsvr32.exe
Token: 46	1652	regsvr32.exe
Token: 47	1652	regsvr32.exe
Token: 48	1652	regsvr32.exe
Token: SeDebugPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: 1	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeCreateTokenPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeAssignPrimaryTokenPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeLockMemoryPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeIncreaseQuotaPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeMachineAccountPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeTcbPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeSecurityPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeTakeOwnershipPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeLoadDriverPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeSystemProfilePrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeSystemtimePrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeProfSingleProcessPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Token: SeIncBasePriorityPrivilege	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 1652	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	28
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31
PID 2200 wrote to memory of 2632	2200	c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe	31

C:\Users\Admin\AppData\Local\Temp\c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
"C:\Users\Admin\AppData\Local\Temp\c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s lw.dll
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Users\Admin\AppData\Local\Temp\TSPlug.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TSPlug.dll

Filesize
722KB

MD5
8fb19475092ed167946d946cd9f95b96

SHA1
1fe7a9447854ba2e0e6cef72dfb033a300393926

SHA256
2cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037

SHA512
c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8

Download Submit
C:\Windows\lw.dll

Filesize
2.5MB

MD5
554acd7a8b4d60ace2f647e6a358ddf0

SHA1
9198b2911e0669785617d45b513fc87824ba468f

SHA256
6ac5a03985a9305a5660c5823e221e40736427851ce9d99c57fb346a00d44322

SHA512
a897064ffdabb027aac18088f418f859a54f6b892656708f1ae1a4353040d3cfe3e840586c77d1f4b9b115958b39d16dbd0e49b351acf631768e754275120d64

Download Submit
\Users\Admin\AppData\Local\Temp\TSPlug.dll

Filesize
722KB

MD5
8fb19475092ed167946d946cd9f95b96

SHA1
1fe7a9447854ba2e0e6cef72dfb033a300393926

SHA256
2cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037

SHA512
c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8

Download Submit
\Users\Admin\AppData\Local\Temp\TSPlug.dll

Filesize
722KB

MD5
8fb19475092ed167946d946cd9f95b96

SHA1
1fe7a9447854ba2e0e6cef72dfb033a300393926

SHA256
2cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037

SHA512
c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8

Download Submit
memory/1652-6-0x0000000000220000-0x000000000025C000-memory.dmp

Filesize
240KB

Download
memory/1652-14-0x0000000001FB0000-0x00000000020B1000-memory.dmp

Filesize
1.0MB

Download
memory/2200-57-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-67-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-30-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-31-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-33-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-32-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-34-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-35-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-37-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-39-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-41-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-43-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-45-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-47-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2200-49-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-51-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-53-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-55-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-29-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-59-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-61-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-63-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-65-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-28-0x0000000010000000-0x0000000010294000-memory.dmp

Filesize
2.6MB

Download
memory/2200-69-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-71-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-73-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-75-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-77-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-79-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-81-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-27-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-25-0x0000000002F00000-0x0000000003001000-memory.dmp

Filesize
1.0MB

Download
memory/2200-126-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-18-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2200-86-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-87-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-94-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/2200-97-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-98-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-99-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-100-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-123-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2200-125-0x0000000071EA0000-0x0000000072FF3000-memory.dmp

Filesize
17.3MB

Download
memory/2632-84-0x0000000073000000-0x0000000074153000-memory.dmp

Filesize
17.3MB

Download