53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5

Analysis

max time kernel
260s
max time network
319s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Size

11.7MB
MD5

f056c852b748458e7db678352d91eb1d
SHA1

4f03fb6d75cd1bfb5b7a1e49feca438798a2b144
SHA256

53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5
SHA512

8c6759541af7a0e233c363f7aa10eaa7e96dd66094098e8269ef6ae92f03e92a99faaba71f4fc74c6f11af1b8009b490fcdb29d9182de89cb60ea177566f9262
SSDEEP

98304:+DGCo6cWy7JlG49hbzPvRhJBAUZLHlrPz4rb9:ueVTJVhf4J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	g4rxZKuKej.exe
2424	WKqaLsed3t_d5.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 2224	1744	g4rxZKuKej.exe	33
PID 1744 set thread context of 2928	1744	g4rxZKuKej.exe	35
PID 1744 set thread context of 1732	1744	g4rxZKuKej.exe	36
PID 1744 set thread context of 3052	1744	g4rxZKuKej.exe	37
PID 1744 set thread context of 2844	1744	g4rxZKuKej.exe	39
PID 1744 set thread context of 2816	1744	g4rxZKuKej.exe	40
PID 1744 set thread context of 300	1744	g4rxZKuKej.exe	41
PID 1744 set thread context of 908	1744	g4rxZKuKej.exe	46
PID 1744 set thread context of 2316	1744	g4rxZKuKej.exe	48
PID 1744 set thread context of 3032	1744	g4rxZKuKej.exe	49
PID 1744 set thread context of 2144	1744	g4rxZKuKej.exe	50
PID 1744 set thread context of 2728	1744	g4rxZKuKej.exe	51
PID 1744 set thread context of 2524	1744	g4rxZKuKej.exe	52
PID 1744 set thread context of 1496	1744	g4rxZKuKej.exe	53
PID 1744 set thread context of 848	1744	g4rxZKuKej.exe	54
PID 1744 set thread context of 2076	1744	g4rxZKuKej.exe	55
PID 1744 set thread context of 1992	1744	g4rxZKuKej.exe	56
PID 1744 set thread context of 2004	1744	g4rxZKuKej.exe	57
PID 1744 set thread context of 1616	1744	g4rxZKuKej.exe	60
PID 1744 set thread context of 2876	1744	g4rxZKuKej.exe	63

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Token: SeDebugPrivilege	1744	g4rxZKuKej.exe
Token: SeIncBasePriorityPrivilege	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
Token: SeDebugPrivilege	2424	WKqaLsed3t_d5.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
1744	g4rxZKuKej.exe
1744	g4rxZKuKej.exe
2928	diskraid.exe
2928	diskraid.exe
1732	eudcedit.exe
1732	eudcedit.exe
2844	TapiUnattend.exe
2844	TapiUnattend.exe
2816	dcomcnfg.exe
2816	dcomcnfg.exe
300	typeperf.exe
300	typeperf.exe
908	perfhost.exe
908	perfhost.exe
2316	unlodctr.exe
2316	unlodctr.exe
3032	credwiz.exe
3032	credwiz.exe
2144	SystemPropertiesComputerName.exe
2144	SystemPropertiesComputerName.exe
2728	ROUTE.EXE
2728	ROUTE.EXE
2524	user.exe
2524	user.exe
1496	makecab.exe
1496	makecab.exe
848	SystemPropertiesRemote.exe
848	SystemPropertiesRemote.exe
2076	certutil.exe
2076	certutil.exe
1992	rasdial.exe
1992	rasdial.exe
2004	choice.exe
2004	choice.exe
1616	SystemPropertiesDataExecutionPrevention.exe
1616	SystemPropertiesDataExecutionPrevention.exe
2876	SndVol.exe
2876	SndVol.exe
2424	WKqaLsed3t_d5.exe
2424	WKqaLsed3t_d5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1744	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	29
PID 2476 wrote to memory of 1744	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	29
PID 2476 wrote to memory of 1744	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	29
PID 2476 wrote to memory of 1744	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	29
PID 2476 wrote to memory of 2280	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	30
PID 2476 wrote to memory of 2280	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	30
PID 2476 wrote to memory of 2280	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	30
PID 2476 wrote to memory of 2280	2476	53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe	30
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2224	1744	g4rxZKuKej.exe	33
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 2928	1744	g4rxZKuKej.exe	35
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 1732	1744	g4rxZKuKej.exe	36
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 3052	1744	g4rxZKuKej.exe	37
PID 1744 wrote to memory of 2824	1744	g4rxZKuKej.exe	38
PID 1744 wrote to memory of 2824	1744	g4rxZKuKej.exe	38
PID 1744 wrote to memory of 2824	1744	g4rxZKuKej.exe	38
PID 1744 wrote to memory of 2824	1744	g4rxZKuKej.exe	38
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39
PID 1744 wrote to memory of 2844	1744	g4rxZKuKej.exe	39

C:\Users\Admin\AppData\Local\Temp\53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe
"C:\Users\Admin\AppData\Local\Temp\53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\g4rxZKuKej.exe
  F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\g4rxZKuKej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\wuapp.exe
    C:\Windows\SysWOW64\wuapp.exe
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\diskraid.exe
    C:\Windows\SysWOW64\diskraid.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Windows\SysWOW64\eudcedit.exe
    C:\Windows\SysWOW64\eudcedit.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\fixmapi.exe
    C:\Windows\SysWOW64\fixmapi.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\TapiUnattend.exe
    C:\Windows\SysWOW64\TapiUnattend.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\dcomcnfg.exe
    C:\Windows\SysWOW64\dcomcnfg.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\typeperf.exe
    C:\Windows\SysWOW64\typeperf.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:300
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\SysWOW64\reg.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\srdelayed.exe
    C:\Windows\SysWOW64\srdelayed.exe
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\iscsicli.exe
    C:\Windows\SysWOW64\iscsicli.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\wscript.exe
    C:\Windows\SysWOW64\wscript.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\perfhost.exe
    C:\Windows\SysWOW64\perfhost.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:908
- - C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
    C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\unlodctr.exe
    C:\Windows\SysWOW64\unlodctr.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\credwiz.exe
    C:\Windows\SysWOW64\credwiz.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
    C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Windows\SysWOW64\ROUTE.EXE
    C:\Windows\SysWOW64\ROUTE.EXE
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\user.exe
    C:\Windows\SysWOW64\user.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2524
- - C:\Windows\SysWOW64\makecab.exe
    C:\Windows\SysWOW64\makecab.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Windows\SysWOW64\SystemPropertiesRemote.exe
    C:\Windows\SysWOW64\SystemPropertiesRemote.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:848
- - C:\Windows\SysWOW64\certutil.exe
    C:\Windows\SysWOW64\certutil.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2076
- - C:\Windows\SysWOW64\rasdial.exe
    C:\Windows\SysWOW64\rasdial.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\SysWOW64\choice.exe
    C:\Windows\SysWOW64\choice.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\Windows\SysWOW64\SearchIndexer.exe
    C:\Windows\SysWOW64\SearchIndexer.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\SyncHost.exe
    C:\Windows\SysWOW64\SyncHost.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Windows\SysWOW64\mcbuilder.exe
    C:\Windows\SysWOW64\mcbuilder.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\label.exe
    C:\Windows\SysWOW64\label.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\SysWOW64\SndVol.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2876
- - F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\WKqaLsed3t_d5.exe
    F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\WKqaLsed3t_d5.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\53DAFE~1.EXE > nul
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RBSFSystem.ini

Filesize
283B

MD5
71c4f73a6b7a7e1c8a196628427157a1

SHA1
7d9e2583f46984090afcf6597fbfb0353bfa9f1a

SHA256
8d0a06fd52b638f7d13feadb3dfdf11f2834ebccbfea350426c6805de6fc621b

SHA512
0fdf03581e5d4d3b5a7c3df21a83faccea869f554c0d411959d235f8bd547e7434fada77a6aab4b4cf96a812e6d794ca804186e58bc417e23d3b88288cf22b23

Download Submit
C:\RBSFSystem.ini

Filesize
283B

MD5
71c4f73a6b7a7e1c8a196628427157a1

SHA1
7d9e2583f46984090afcf6597fbfb0353bfa9f1a

SHA256
8d0a06fd52b638f7d13feadb3dfdf11f2834ebccbfea350426c6805de6fc621b

SHA512
0fdf03581e5d4d3b5a7c3df21a83faccea869f554c0d411959d235f8bd547e7434fada77a6aab4b4cf96a812e6d794ca804186e58bc417e23d3b88288cf22b23

Download Submit
C:\RBSFSystem.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\RBSFSystem.ini

Filesize
162B

MD5
88c2252f623186c2d6df7435bc62d21c

SHA1
069e5043a513560366a4fcef96d8c93b4a208d92

SHA256
5e7569a68fbf6ac8aeb4d3db463ad165beeb63edcf63005f66a361cdcc2c7213

SHA512
49ea66da3b80e6bfecc5efa0a7fc42830f29fc5e2113d70cd049ceb89452dc58a82e2274e7a2ce7fd63fc4f86abed4858eb4c6144b766bd91e6a8ff0844bc3ea

Download Submit
C:\RBSFSystem.ini

Filesize
162B

MD5
88c2252f623186c2d6df7435bc62d21c

SHA1
069e5043a513560366a4fcef96d8c93b4a208d92

SHA256
5e7569a68fbf6ac8aeb4d3db463ad165beeb63edcf63005f66a361cdcc2c7213

SHA512
49ea66da3b80e6bfecc5efa0a7fc42830f29fc5e2113d70cd049ceb89452dc58a82e2274e7a2ce7fd63fc4f86abed4858eb4c6144b766bd91e6a8ff0844bc3ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac0b68474653c8666297417e595181f3

SHA1
bafc3c4323ce8351d488d078c0ed4f1209205e1b

SHA256
94d345949e6bbb7f515b26c0ab3abd6de3fdd83f0cb09ec203cf36d5f0330315

SHA512
aa06ee732d43462e7b4184a072202e8337fbce22fa62457722d910435a28707e6108b02ba7d7a01a3c5d27b18d9573e2d39fc2683d3c78d1a3145df5b34c39ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b920e1c7e834a51a45501beb59cadb7

SHA1
88feaaae89a08cbccf66e7b4e012ea1ac0702465

SHA256
be3a1ea3a0974f4eda5924546d5c73dc77ed799a8ce06f55d7cd62458e9bea87

SHA512
9026ae9b1fbbe0b457ccec6cbb48b56ca371f4c7f5a3b8f44140b8be267bfce78047ab1453087f4bf7f7075a555ea1d107197014647af5d17b6c7f51d4c11acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FF1.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20AF.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\RBSF.ini

Filesize
1KB

MD5
b1d997ffb96d0c5fd203868df44896be

SHA1
5a55642e026b1d54281d0c0bf26373f73f3971a2

SHA256
af396129b80609110ea38b7df597e7c0b689ed90038d98c4cf4c7cc8fb2d623a

SHA512
74e499eedb965166a7ea22f40f8ea5b539e44c5076572c306486412e0bec06673a1fe48a52d9146bbe9bf60472a4fb944c4e66676eeb14b9c7463d307da358f4

Download Submit
C:\Users\Admin\AppData\Roaming\RBSF.ini

Filesize
10B

MD5
4b80dad734fc60f3fd3030f47a9d70c2

SHA1
946c991e66a831290cf11bbd8e9748ca62f7a27f

SHA256
85e74a3678e99c8dd94f4a61600a08beeb2d982b41aa5d603c88b9e3a4ad1383

SHA512
40717479d237c1ef9e0225fa0f6306d467936238a54acebe974a7d2b1aa38131ff1a396dfdc98ca3df286e0be88fbbb9c7ef69f3a8adf7b78cd113662f5fdb6c

Download Submit
F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\WKqaLsed3t_d5.exe

Filesize
6.8MB

MD5
3f8d69eb26115498cd59939c1e564212

SHA1
3c2879c65ac5c40af7472f264f021dd9b0fdd624

SHA256
9bffb565df6ad9510861f81c9e11d09ef69b4d7b539e30d65bbd26f1eb52bb81

SHA512
4b6c6a0ebf27c3facba2362fdc776bbc62e3b908eca869f55aad3e42debf445e4a1e6b89e2cef38596788e4611b942e9bd70e30d597f1b17517deb0e1f56e571

Download Submit
F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\g4rxZKuKej.exe

Filesize
11.7MB

MD5
f056c852b748458e7db678352d91eb1d

SHA1
4f03fb6d75cd1bfb5b7a1e49feca438798a2b144

SHA256
53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5

SHA512
8c6759541af7a0e233c363f7aa10eaa7e96dd66094098e8269ef6ae92f03e92a99faaba71f4fc74c6f11af1b8009b490fcdb29d9182de89cb60ea177566f9262

Download Submit
F:\97ayiyrU_d5\pNOdZz0tq\X8CzS4FDiGM\40Jsioqi\OAt2grVzjHU\iKtcF2XCCTI\MUXnA9YGV\g4rxZKuKej.exe

Filesize
11.7MB

MD5
f056c852b748458e7db678352d91eb1d

SHA1
4f03fb6d75cd1bfb5b7a1e49feca438798a2b144

SHA256
53dafe9c6278b991c4645b207c24f6b58c94d37bd9647b63e5d61ec0ffe156e5

SHA512
8c6759541af7a0e233c363f7aa10eaa7e96dd66094098e8269ef6ae92f03e92a99faaba71f4fc74c6f11af1b8009b490fcdb29d9182de89cb60ea177566f9262

Download Submit
memory/1732-241-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-245-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1732-250-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/1732-252-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-150-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-157-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-156-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-153-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-143-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-147-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2224-145-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-222-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-224-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-226-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-221-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-219-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-217-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-216-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-215-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-213-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2928-211-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download