be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Size

11.7MB
MD5

fe5a4d2b381761d420987edcb22c2fb6
SHA1

8acbbd07976e2fbc80974567f88b988606ab651e
SHA256

be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995
SHA512

a3a01b48654a839de913e3d1d3555a02c28845e7e693744206048540f3e8cbb8aecead0898b1d3c93dfea46459a4f595c8f8af298bc61945cce473f7fcb3d4ac
SSDEEP

98304:+DGCo6cWy7JlG49hbzPvRhJBAUZLHlrPz4rbm:ueVTJVhf4K

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1400	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1408	aAHNX9iHIx.exe
2360	Ye07qlLNhb_d5.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
File opened (read-only)	\??\F:	Ye07qlLNhb_d5.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 620	1408	aAHNX9iHIx.exe	34
PID 1408 set thread context of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 set thread context of 680	1408	aAHNX9iHIx.exe	40
PID 1408 set thread context of 2684	1408	aAHNX9iHIx.exe	42
PID 1408 set thread context of 2580	1408	aAHNX9iHIx.exe	45
PID 1408 set thread context of 2344	1408	aAHNX9iHIx.exe	47
PID 1408 set thread context of 1096	1408	aAHNX9iHIx.exe	53
PID 1408 set thread context of 2576	1408	aAHNX9iHIx.exe	56
PID 1408 set thread context of 2764	1408	aAHNX9iHIx.exe	58
PID 1408 set thread context of 2256	1408	aAHNX9iHIx.exe	59

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe
2360	Ye07qlLNhb_d5.exe
2360	Ye07qlLNhb_d5.exe
2360	Ye07qlLNhb_d5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Token: SeDebugPrivilege	1408	aAHNX9iHIx.exe
Token: SeIncBasePriorityPrivilege	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
Token: SeDebugPrivilege	2360	Ye07qlLNhb_d5.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
1408	aAHNX9iHIx.exe
1408	aAHNX9iHIx.exe
620	netsh.exe
620	netsh.exe
2120	winrs.exe
2120	winrs.exe
680	taskeng.exe
680	taskeng.exe
2684	ieUnatt.exe
2684	ieUnatt.exe
2580	RMActivate_ssp.exe
2580	RMActivate_ssp.exe
2344	SystemPropertiesDataExecutionPrevention.exe
2344	SystemPropertiesDataExecutionPrevention.exe
1096	mfpmp.exe
1096	mfpmp.exe
2576	getmac.exe
2576	getmac.exe
2764	proquota.exe
2764	proquota.exe
2256	MRINFO.EXE
2256	MRINFO.EXE
2360	Ye07qlLNhb_d5.exe
2360	Ye07qlLNhb_d5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1408	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	29
PID 2024 wrote to memory of 1408	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	29
PID 2024 wrote to memory of 1408	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	29
PID 2024 wrote to memory of 1408	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	29
PID 2024 wrote to memory of 1400	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	30
PID 2024 wrote to memory of 1400	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	30
PID 2024 wrote to memory of 1400	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	30
PID 2024 wrote to memory of 1400	2024	be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe	30
PID 1408 wrote to memory of 1652	1408	aAHNX9iHIx.exe	33
PID 1408 wrote to memory of 1652	1408	aAHNX9iHIx.exe	33
PID 1408 wrote to memory of 1652	1408	aAHNX9iHIx.exe	33
PID 1408 wrote to memory of 1652	1408	aAHNX9iHIx.exe	33
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 620	1408	aAHNX9iHIx.exe	34
PID 1408 wrote to memory of 2384	1408	aAHNX9iHIx.exe	37
PID 1408 wrote to memory of 2384	1408	aAHNX9iHIx.exe	37
PID 1408 wrote to memory of 2384	1408	aAHNX9iHIx.exe	37
PID 1408 wrote to memory of 2384	1408	aAHNX9iHIx.exe	37
PID 1408 wrote to memory of 600	1408	aAHNX9iHIx.exe	35
PID 1408 wrote to memory of 600	1408	aAHNX9iHIx.exe	35
PID 1408 wrote to memory of 600	1408	aAHNX9iHIx.exe	35
PID 1408 wrote to memory of 600	1408	aAHNX9iHIx.exe	35
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1736	1408	aAHNX9iHIx.exe	36
PID 1408 wrote to memory of 1880	1408	aAHNX9iHIx.exe	39
PID 1408 wrote to memory of 1880	1408	aAHNX9iHIx.exe	39
PID 1408 wrote to memory of 1880	1408	aAHNX9iHIx.exe	39
PID 1408 wrote to memory of 1880	1408	aAHNX9iHIx.exe	39
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 2120	1408	aAHNX9iHIx.exe	38
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 680	1408	aAHNX9iHIx.exe	40
PID 1408 wrote to memory of 2684	1408	aAHNX9iHIx.exe	42
PID 1408 wrote to memory of 2684	1408	aAHNX9iHIx.exe	42
PID 1408 wrote to memory of 2684	1408	aAHNX9iHIx.exe	42

C:\Users\Admin\AppData\Local\Temp\be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe
"C:\Users\Admin\AppData\Local\Temp\be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\aAHNX9iHIx.exe
  F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\aAHNX9iHIx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\grpconv.exe
    C:\Windows\SysWOW64\grpconv.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\SysWOW64\netsh.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:620
- - C:\Windows\SysWOW64\winrshost.exe
    C:\Windows\SysWOW64\winrshost.exe
    3⤵
    PID:600
- - C:\Windows\SysWOW64\ndadmin.exe
    C:\Windows\SysWOW64\ndadmin.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\gpresult.exe
    C:\Windows\SysWOW64\gpresult.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\winrs.exe
    C:\Windows\SysWOW64\winrs.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2120
- - C:\Windows\SysWOW64\rekeywiz.exe
    C:\Windows\SysWOW64\rekeywiz.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\taskeng.exe
    C:\Windows\SysWOW64\taskeng.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:680
- - C:\Windows\SysWOW64\ieUnatt.exe
    C:\Windows\SysWOW64\ieUnatt.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\SyncHost.exe
    C:\Windows\SysWOW64\SyncHost.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\RMActivate_ssp.exe
    C:\Windows\SysWOW64\RMActivate_ssp.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Windows\SysWOW64\Utilman.exe
    C:\Windows\SysWOW64\Utilman.exe
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2344
- - C:\Windows\SysWOW64\dvdupgrd.exe
    C:\Windows\SysWOW64\dvdupgrd.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\mobsync.exe
    C:\Windows\SysWOW64\mobsync.exe
    3⤵
    PID:456
- - C:\Windows\SysWOW64\fontview.exe
    C:\Windows\SysWOW64\fontview.exe
    3⤵
    PID:860
- - C:\Windows\SysWOW64\regedt32.exe
    C:\Windows\SysWOW64\regedt32.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\mstsc.exe
    C:\Windows\SysWOW64\mstsc.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\mfpmp.exe
    C:\Windows\SysWOW64\mfpmp.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1096
- - C:\Windows\SysWOW64\Robocopy.exe
    C:\Windows\SysWOW64\Robocopy.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    C:\Windows\SysWOW64\InfDefaultInstall.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\getmac.exe
    C:\Windows\SysWOW64\getmac.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\SysWOW64\userinit.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\proquota.exe
    C:\Windows\SysWOW64\proquota.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Windows\SysWOW64\MRINFO.EXE
    C:\Windows\SysWOW64\MRINFO.EXE
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2256
- - C:\Windows\SysWOW64\wecutil.exe
    C:\Windows\SysWOW64\wecutil.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\ktmutil.exe
    C:\Windows\SysWOW64\ktmutil.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\SecEdit.exe
    C:\Windows\SysWOW64\SecEdit.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\ntoskrnl.exe
    C:\Windows\SysWOW64\ntoskrnl.exe
    3⤵
    PID:1540
- - F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\Ye07qlLNhb_d5.exe
    F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\Ye07qlLNhb_d5.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BE5903~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RBSFSystem.ini

Filesize
265B

MD5
d231841835640a8ba23fb71157056650

SHA1
914230687e238042a3c3068dc3202c1825a563dd

SHA256
5b591cf43e20ed9a20076b8f14c548c66fd0875d3f74fd2e8527b2a4786080c1

SHA512
9413ef6c851891ea24630ca7044a2c7d1993c23f5bbabbf936218264816cc68978643195ec056dc6f5df0dab339d3cf96d5dfc7180099aa3770cf130e8207c70

Download Submit
C:\RBSFSystem.ini

Filesize
129B

MD5
78d89536fa344a82364f1dda81d78f3a

SHA1
e866b4f7713f3b6718c2b4b836937c8b35ff7c31

SHA256
32c064c7c56cae4ea4ee32cf8ee2f110f2f715ed064c28c1a5e5b4b384439fa5

SHA512
2a04d9ea26e8617c60f5af189f2fce74baf151bb414390aa617adf140bce277d492764dc7a34671d0a09c61edebbd0b9f8d3ce591a2d6d54f66495f53cce6d58

Download Submit
C:\RBSFSystem.ini

Filesize
162B

MD5
88c2252f623186c2d6df7435bc62d21c

SHA1
069e5043a513560366a4fcef96d8c93b4a208d92

SHA256
5e7569a68fbf6ac8aeb4d3db463ad165beeb63edcf63005f66a361cdcc2c7213

SHA512
49ea66da3b80e6bfecc5efa0a7fc42830f29fc5e2113d70cd049ceb89452dc58a82e2274e7a2ce7fd63fc4f86abed4858eb4c6144b766bd91e6a8ff0844bc3ea

Download Submit
C:\RBSFSystem.ini

Filesize
265B

MD5
d231841835640a8ba23fb71157056650

SHA1
914230687e238042a3c3068dc3202c1825a563dd

SHA256
5b591cf43e20ed9a20076b8f14c548c66fd0875d3f74fd2e8527b2a4786080c1

SHA512
9413ef6c851891ea24630ca7044a2c7d1993c23f5bbabbf936218264816cc68978643195ec056dc6f5df0dab339d3cf96d5dfc7180099aa3770cf130e8207c70

Download Submit
C:\RBSFSystem.ini

Filesize
162B

MD5
88c2252f623186c2d6df7435bc62d21c

SHA1
069e5043a513560366a4fcef96d8c93b4a208d92

SHA256
5e7569a68fbf6ac8aeb4d3db463ad165beeb63edcf63005f66a361cdcc2c7213

SHA512
49ea66da3b80e6bfecc5efa0a7fc42830f29fc5e2113d70cd049ceb89452dc58a82e2274e7a2ce7fd63fc4f86abed4858eb4c6144b766bd91e6a8ff0844bc3ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a73c6541d98499bb79c292d41ec5d344

SHA1
810fa2a8909a584d74c9623765111887d90f1d3f

SHA256
5b0b8e3d7985407e53d44335c82037545fe0f10d12ef23a5a824617731fce007

SHA512
14dc5309ac891b5b223c493a5e522b07614d9055a0f7bf7784d1f74d5e01161bcbca33f3a33efd5d4ff034957c82c61bdfd35482a3af9eaf6564127df907f240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d976485c46be46645462d056462e6ebc

SHA1
255e91f4151680d69687df4d237bd8c61b924742

SHA256
a5417c6980dc40849b0875ecc442e2914bf111e449242faf05da8c672949eded

SHA512
6d901b4172f80334cec9a61265269de06ee0918f8a1d8391528027f25740e5b4eb5a64aa7795c9bc82c2efe1a937e0ba67fa0710a8ab01e04f2746c60fea4af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E63.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F31.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\RBSF.ini

Filesize
1KB

MD5
4ec8ecd71ff0c5171b83bc3f039aabfc

SHA1
5f453f0d854ae2c20d33394c2b91dac5318dbd67

SHA256
46db18402b86779c1a3626b3adfaf95d5efe7ffeca653bb4700ce006aa3b3c30

SHA512
0f5da66a15c9b3da07f3dc84b6309d51e30361ba2745c43c17234094b00971c360f9cc08473db1a6b99ff4d0ea2e033e95e167110e18889020bef1b92e280262

Download Submit
C:\Users\Admin\AppData\Roaming\RBSF.ini

Filesize
10B

MD5
4b80dad734fc60f3fd3030f47a9d70c2

SHA1
946c991e66a831290cf11bbd8e9748ca62f7a27f

SHA256
85e74a3678e99c8dd94f4a61600a08beeb2d982b41aa5d603c88b9e3a4ad1383

SHA512
40717479d237c1ef9e0225fa0f6306d467936238a54acebe974a7d2b1aa38131ff1a396dfdc98ca3df286e0be88fbbb9c7ef69f3a8adf7b78cd113662f5fdb6c

Download Submit
C:\Users\Admin\Desktop\RBSF_tVSEkXl9MAj.lnk

Filesize
949B

MD5
40af7d7ad6cf02474f3a2d5df8aa4812

SHA1
044a7ae837736e6c6796be95a57df06e37b6f59d

SHA256
17166e13135dea8f13dd31df95f07f3485943cc00e662a2d3cf5b61fad4f1680

SHA512
534eccd1e0703db186d663ad78be36fd12400e638f56d556afbb06bf8b86429b48fbf196f0179bd876961af06066c7d0eedd0badfc59d85a6b7520ca38549ea7

Download Submit
F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\Ye07qlLNhb_d5.exe

Filesize
6.8MB

MD5
4005ccc8d13e9ee5453e32eee30cccad

SHA1
dda8359a7c2cbbebc84857505c5bb65477557f8c

SHA256
0bcc80aa9398268eef12ac025223b06eae05664aedcf230d3ba73992206850ed

SHA512
4455034763cc85c81572d6b30da1b1ca649fd05e5d64d14fbd9b9954907ec44555c776daff35d4b9fa558f856dc4f7167fbfa4e48fc17a0a8270402301f0eff5

Download Submit
F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\aAHNX9iHIx.exe

Filesize
11.7MB

MD5
fe5a4d2b381761d420987edcb22c2fb6

SHA1
8acbbd07976e2fbc80974567f88b988606ab651e

SHA256
be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995

SHA512
a3a01b48654a839de913e3d1d3555a02c28845e7e693744206048540f3e8cbb8aecead0898b1d3c93dfea46459a4f595c8f8af298bc61945cce473f7fcb3d4ac

Download Submit
F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\aAHNX9iHIx.exe

Filesize
11.7MB

MD5
fe5a4d2b381761d420987edcb22c2fb6

SHA1
8acbbd07976e2fbc80974567f88b988606ab651e

SHA256
be5903721f12a958898ca4039988f128f63b37420d02227ccb28ac77657ae995

SHA512
a3a01b48654a839de913e3d1d3555a02c28845e7e693744206048540f3e8cbb8aecead0898b1d3c93dfea46459a4f595c8f8af298bc61945cce473f7fcb3d4ac

Download Submit
F:\N3xvZeLn6XD_d5\Luubp5JQ4Bb\I1TfW5Bbo\CBdjw7Roz\tVSEkXl9MAj\aAHNX9iHIx.exe

Filesize
11.7MB

MD5
fb9b3b98f52f6e9ed6ba8f0f745aba13

SHA1
cbc95a3baf8317db8a2a42a84b4ef5095ca06b04

SHA256
ef6f6101846718ab4281039e8d688163f89331ff2eefe1fe736550f0183df173

SHA512
54447ca5ed32815fb94d8afd97ec1feb8cbd0df3cef17d87a70215e2f359a135f3015f7dc5a02def3f8fdfe3ec9d77d08869ab765b168657afcd4a249829fbd2

Download Submit
memory/620-174-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-152-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-154-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/620-156-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-159-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-162-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-165-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-167-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-171-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-146-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-176-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-180-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-133-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-135-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-137-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-140-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/620-143-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-211-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-225-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-210-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-206-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-213-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-217-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-218-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-220-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-222-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-208-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-227-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-229-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-233-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-231-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-235-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-204-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-203-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-201-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-199-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/2120-195-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download