Analysis
-
max time kernel
164s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 08:24
Static task
static1
Behavioral task
behavioral1
Sample
c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
Resource
win10v2004-20230915-en
General
-
Target
c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe
-
Size
5.3MB
-
MD5
54b7b7025ffab6172ba8a06426a4090d
-
SHA1
a67d18a749661ff91d8f7c34187171e6ecaf375e
-
SHA256
c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff
-
SHA512
89852d13503d272109dbe8053bdae3e87c57dda59e743778fa10b2a506892e4aa2f0cdada42228221216723e53489ba4b5915f86cc2312bf60d573eb9d98003e
-
SSDEEP
98304:diCh3EzxvNmwEpczAqX/zEjy7eFaddXNJz:diCuBzNX/ziyM6fJz
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x00060000000231ff-86.dat acprotect behavioral2/files/0x00060000000231ff-87.dat acprotect behavioral2/files/0x00060000000231ff-89.dat acprotect -
Loads dropped DLL 4 IoCs
pid Process 2712 regsvr32.exe 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 4076 regsvr32.exe 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe -
resource yara_rule behavioral2/memory/5032-31-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-32-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-36-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-38-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-40-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-42-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-44-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-46-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-48-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-50-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-53-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-56-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-61-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-65-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-67-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-69-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-71-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-73-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-75-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-77-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-79-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-81-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-83-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-84-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/files/0x00060000000231ff-86.dat upx behavioral2/files/0x00060000000231ff-87.dat upx behavioral2/memory/4076-88-0x0000000073200000-0x0000000074353000-memory.dmp upx behavioral2/files/0x00060000000231ff-89.dat upx behavioral2/memory/5032-90-0x0000000073200000-0x0000000074353000-memory.dmp upx behavioral2/memory/5032-99-0x0000000002840000-0x000000000287E000-memory.dmp upx behavioral2/memory/5032-109-0x0000000073200000-0x0000000074353000-memory.dmp upx behavioral2/memory/5032-112-0x0000000073200000-0x0000000074353000-memory.dmp upx behavioral2/memory/5032-115-0x0000000073200000-0x0000000074353000-memory.dmp upx behavioral2/memory/5032-125-0x0000000073200000-0x0000000074353000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\lw.dll c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\HELPDIR\ = "C:\\Windows" c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{900527EB-7D74-41DE-9E3E-80E4B267E0F2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ = "ITSPlugInterFace" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{319E1714-1900-4d95-8900-E95B65A9FDBD}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSPlug.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TSPlug.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\ = "TSPlugInterFace Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\HELPDIR c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\ProgID\ = "Ts.TsSoft" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCE4A484-C3BC-418B-B1F6-69D6987C126B}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\ = "TSPlug 1.0 ÀàÐÍ¿â" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\VersionIndependentProgID\ = "lw.lwsoft3" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ = "ITSPlugInterFace" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\0\win32\ = "C:\\Windows\\lw.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib\ = "{71175991-9B59-42EA-B712-9ADF3319AC18}" c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{900527EB-7D74-41DE-9E3E-80E4B267E0F2}\ = "TSPlug" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CLSID\ = "{BCE4A484-C3BC-418B-B1F6-69D6987C126B}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\CLSID\ = "{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\ = "lwcom" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSPlug.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6C2EA3D-2A5A-4B63-AFDB-5E24BD1D39A0}\InprocServer32\ = "C:\\Windows\\lw.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{319E1714-1900-4d95-8900-E95B65A9FDBD} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{319E1714-1900-4d95-8900-E95B65A9FDBD}\TypeLib\version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3\CurVer\ = "lw.lwsoft3.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3E95C10-606A-474E-BB4A-B9CCBF7DB559}\TypeLib\ = "{525CF7E5-DB36-491F-A91C-2DB86E67126D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\ = "lwcom" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\ = "lwcom" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196} c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\ProxyStubClsid32 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59AA95D1-09D6-4891-89D0-9567D6A63196}\TypeLib\Version = "1.0" c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TSPlug.DLL\AppID = "{900527EB-7D74-41DE-9E3E-80E4B267E0F2}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{525CF7E5-DB36-491F-A91C-2DB86E67126D}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lw.lwsoft3.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{71175991-9B59-42EA-B712-9ADF3319AC18} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ts.TsSoft\CurVer\ = "Ts.TsSoft" regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2712 regsvr32.exe Token: 1 2712 regsvr32.exe Token: SeCreateTokenPrivilege 2712 regsvr32.exe Token: SeAssignPrimaryTokenPrivilege 2712 regsvr32.exe Token: SeLockMemoryPrivilege 2712 regsvr32.exe Token: SeIncreaseQuotaPrivilege 2712 regsvr32.exe Token: SeMachineAccountPrivilege 2712 regsvr32.exe Token: SeTcbPrivilege 2712 regsvr32.exe Token: SeSecurityPrivilege 2712 regsvr32.exe Token: SeTakeOwnershipPrivilege 2712 regsvr32.exe Token: SeLoadDriverPrivilege 2712 regsvr32.exe Token: SeSystemProfilePrivilege 2712 regsvr32.exe Token: SeSystemtimePrivilege 2712 regsvr32.exe Token: SeProfSingleProcessPrivilege 2712 regsvr32.exe Token: SeIncBasePriorityPrivilege 2712 regsvr32.exe Token: SeCreatePagefilePrivilege 2712 regsvr32.exe Token: SeCreatePermanentPrivilege 2712 regsvr32.exe Token: SeBackupPrivilege 2712 regsvr32.exe Token: SeRestorePrivilege 2712 regsvr32.exe Token: SeShutdownPrivilege 2712 regsvr32.exe Token: SeDebugPrivilege 2712 regsvr32.exe Token: SeAuditPrivilege 2712 regsvr32.exe Token: SeSystemEnvironmentPrivilege 2712 regsvr32.exe Token: SeChangeNotifyPrivilege 2712 regsvr32.exe Token: SeRemoteShutdownPrivilege 2712 regsvr32.exe Token: SeUndockPrivilege 2712 regsvr32.exe Token: SeSyncAgentPrivilege 2712 regsvr32.exe Token: SeEnableDelegationPrivilege 2712 regsvr32.exe Token: SeManageVolumePrivilege 2712 regsvr32.exe Token: SeImpersonatePrivilege 2712 regsvr32.exe Token: SeCreateGlobalPrivilege 2712 regsvr32.exe Token: 31 2712 regsvr32.exe Token: 32 2712 regsvr32.exe Token: 33 2712 regsvr32.exe Token: 34 2712 regsvr32.exe Token: 35 2712 regsvr32.exe Token: 36 2712 regsvr32.exe Token: 37 2712 regsvr32.exe Token: 38 2712 regsvr32.exe Token: 39 2712 regsvr32.exe Token: 40 2712 regsvr32.exe Token: 41 2712 regsvr32.exe Token: 42 2712 regsvr32.exe Token: 43 2712 regsvr32.exe Token: 44 2712 regsvr32.exe Token: 45 2712 regsvr32.exe Token: 46 2712 regsvr32.exe Token: 47 2712 regsvr32.exe Token: 48 2712 regsvr32.exe Token: SeDebugPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: 1 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeCreateTokenPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeAssignPrimaryTokenPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeLockMemoryPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeIncreaseQuotaPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeMachineAccountPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeTcbPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeSecurityPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeTakeOwnershipPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeLoadDriverPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeSystemProfilePrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeSystemtimePrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeProfSingleProcessPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe Token: SeIncBasePriorityPrivilege 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5032 wrote to memory of 2712 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 86 PID 5032 wrote to memory of 2712 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 86 PID 5032 wrote to memory of 2712 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 86 PID 5032 wrote to memory of 4076 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 87 PID 5032 wrote to memory of 4076 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 87 PID 5032 wrote to memory of 4076 5032 c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe"C:\Users\Admin\AppData\Local\Temp\c4756983ad677783a25b3d00d80d61eb81e2e2a4a99ff0d5a59118205ca0b2ff.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s lw.dll2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\Users\Admin\AppData\Local\Temp\TSPlug.dll /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:4076
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722KB
MD58fb19475092ed167946d946cd9f95b96
SHA11fe7a9447854ba2e0e6cef72dfb033a300393926
SHA2562cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037
SHA512c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8
-
Filesize
722KB
MD58fb19475092ed167946d946cd9f95b96
SHA11fe7a9447854ba2e0e6cef72dfb033a300393926
SHA2562cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037
SHA512c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8
-
Filesize
722KB
MD58fb19475092ed167946d946cd9f95b96
SHA11fe7a9447854ba2e0e6cef72dfb033a300393926
SHA2562cd87c25f6f75313821158e777f0e272a7a0da8b2f530ea69f258831689bc037
SHA512c49a92d2daaadecd441276f4ad6b36912a2546108a548d82cc053b50b1acaaf1437ee98b5004135756792af4c993910252de763a2fab658815b226a533366db8
-
Filesize
2.5MB
MD5554acd7a8b4d60ace2f647e6a358ddf0
SHA19198b2911e0669785617d45b513fc87824ba468f
SHA2566ac5a03985a9305a5660c5823e221e40736427851ce9d99c57fb346a00d44322
SHA512a897064ffdabb027aac18088f418f859a54f6b892656708f1ae1a4353040d3cfe3e840586c77d1f4b9b115958b39d16dbd0e49b351acf631768e754275120d64
-
Filesize
2.5MB
MD5554acd7a8b4d60ace2f647e6a358ddf0
SHA19198b2911e0669785617d45b513fc87824ba468f
SHA2566ac5a03985a9305a5660c5823e221e40736427851ce9d99c57fb346a00d44322
SHA512a897064ffdabb027aac18088f418f859a54f6b892656708f1ae1a4353040d3cfe3e840586c77d1f4b9b115958b39d16dbd0e49b351acf631768e754275120d64
-
Filesize
2.5MB
MD5554acd7a8b4d60ace2f647e6a358ddf0
SHA19198b2911e0669785617d45b513fc87824ba468f
SHA2566ac5a03985a9305a5660c5823e221e40736427851ce9d99c57fb346a00d44322
SHA512a897064ffdabb027aac18088f418f859a54f6b892656708f1ae1a4353040d3cfe3e840586c77d1f4b9b115958b39d16dbd0e49b351acf631768e754275120d64