d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Size

181KB
MD5

7ec77622e3b775d9c6403bdfd2a4f1f5
SHA1

b44ab81b74208b65bb53288f587ad2d16075331c
SHA256

d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54
SHA512

d925c3dfebee86cbc4aef3b3ead24e15c9b0fa0fc545b8ba3cf95611ff23a377ec8e2f236c611dc10a4d617ccd6a0c392bd8ec77255763e902a657c54055bf41
SSDEEP

3072:c8JVgPzQ8pO6ORW79Yy8Ei/Q7i8PNo78h6DUIt00X19POy/w7/15TSIAG:rmzQ8pMk6cn+mc19POyox5TSI

Score

10^/10

vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3140 created 628	3140	Explorer.EXE	5

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Pab83YNFO.sys	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\r9wd68Pc9ydTJ.sys	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\WxvvJNI2kTWqyS.sys	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\lwEXYaJfSvMf.ecj	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\HuikvgZyKJu.dli	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\Kmko4x9RqzTw42.sys	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\So2OZxO5JMQLb.ize	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\pLmVqItm7p.afo	forfiles.exe
File opened for modification	C:\Windows\system32\drivers\4t11SA0fklz.sys	forfiles.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	forfiles.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000a000000022e62-94.dat	vmprotect
behavioral2/files/0x0018000000022e62-152.dat	vmprotect
behavioral2/files/0x0026000000022e62-208.dat	vmprotect
behavioral2/files/0x0034000000022e62-264.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	forfiles.exe
File opened for modification	C:\Windows\system32\pnsM5jFb4B.sys	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	forfiles.exe
File opened for modification	C:\Windows\system32\NBjat9XI29.bmo	forfiles.exe
File opened for modification	C:\Windows\system32\AAZcjxIkaGh.sys	forfiles.exe
File opened for modification	C:\Windows\system32\r4JrS9Fuf5NkF.mak	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	forfiles.exe
File created	C:\Windows\system32\ \Windows\System32\PLq7Px097.sys	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	forfiles.exe
File opened for modification	C:\Windows\system32\Jbpca4eLMPUB.sys	forfiles.exe
File opened for modification	C:\Windows\system32\e44Vs9b1YNM.dcj	forfiles.exe
File opened for modification	C:\Windows\system32\LzNT1GDhYD.bzb	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	forfiles.exe
File opened for modification	C:\Windows\system32\UWhIZ5IEaM.sys	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	forfiles.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	forfiles.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dwy1uu0vyK.hvu	forfiles.exe
File opened for modification	C:\Program Files\VideoLAN\47b931ff.html	forfiles.exe
File opened for modification	C:\Program Files (x86)\nsfMjhXjMu.sek	forfiles.exe
File opened for modification	C:\Program Files\VideoLAN\lib\6469ac65.js	forfiles.exe
File opened for modification	C:\Program Files (x86)\zyJhWAQOt6TT.sys	forfiles.exe
File opened for modification	C:\Program Files\6VDaCBAmRP.sys	forfiles.exe
File opened for modification	C:\Program Files\VideoLAN\manifest.json	forfiles.exe
File opened for modification	C:\Program Files\Reference Assemblies\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\Reference Assemblies\47b932ea.html	Explorer.EXE
File opened for modification	C:\Program Files\QuBTrZFbmsSPU.sys	forfiles.exe
File opened for modification	C:\Program Files\1dN55twuOMRs1Q.qrx	forfiles.exe
File opened for modification	C:\Program Files (x86)\Fe9wxMF9ET.sys	forfiles.exe
File opened for modification	C:\Program Files\Reference Assemblies\3960f588.js	Explorer.EXE
File opened for modification	C:\Program Files\ImaXbNY43gW.sys	forfiles.exe
File opened for modification	C:\Program Files\xy16p4wgqTjx.kkk	forfiles.exe
File opened for modification	C:\Program Files\VideoLAN\56116f32.js	forfiles.exe
File opened for modification	C:\Program Files (x86)\ZIyUDyOdNHl.ggz	forfiles.exe
File opened for modification	C:\Program Files (x86)\mhI4oyVBzjaFlM.xrx	forfiles.exe
File opened for modification	C:\Program Files (x86)\EunJXfd3x9KN9T.sys	forfiles.exe
File opened for modification	C:\Program Files\VideoLAN\3960f4cc.js	forfiles.exe
File opened for modification	C:\Program Files\Reference Assemblies\lib\6469adae.js	Explorer.EXE
File opened for modification	C:\Program Files\nrnjH0KWxs.sys	forfiles.exe
File opened for modification	C:\Program Files\xx8a2t3aCSiyd.sdm	forfiles.exe
File opened for modification	C:\Program Files (x86)\nNcpH12mlYuwOa.sys	forfiles.exe
File opened for modification	C:\Program Files (x86)\kM7kS8iECWJ.wnr	forfiles.exe
File opened for modification	C:\Program Files\Reference Assemblies\5611704c.js	Explorer.EXE

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BgEPDYQkDW.sys	forfiles.exe
File opened for modification	C:\Windows\f3OxGPgV0d.rqd	forfiles.exe
File opened for modification	C:\Windows\Kg8JYcAQoZm.sys	forfiles.exe
File opened for modification	C:\Windows\CDGFtBeCZNZo.fpr	forfiles.exe
File opened for modification	C:\Windows\lQa88Qvjx7.sys	forfiles.exe
File created	C:\Windows\Inf\forfiles.exe	Explorer.EXE
File opened for modification	C:\Windows\Inf\forfiles.exe	Explorer.EXE
File created	C:\Windows\mIHlSPbBI.sys	forfiles.exe
File opened for modification	C:\Windows\AGcpYdjKNWFy4.gkk	forfiles.exe
File opened for modification	C:\Windows\yDNpBge3KO3iwJ.sys	forfiles.exe
File opened for modification	C:\Windows\U9xlQBYrWKj.ggz	forfiles.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	forfiles.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	forfiles.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2904	timeout.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AxInstUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	forfiles.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	forfiles.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	forfiles.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	forfiles.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	forfiles.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	forfiles.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	forfiles.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AxInstUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	forfiles.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	forfiles.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AxInstUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
2484	forfiles.exe
2484	forfiles.exe
4412	AxInstUI.exe
4412	AxInstUI.exe
2484	forfiles.exe
2484	forfiles.exe
2484	forfiles.exe
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
2484	forfiles.exe
3140	Explorer.EXE
2484	forfiles.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Token: SeTcbPrivilege	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Token: SeDebugPrivilege	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Token: SeDebugPrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeIncBasePriorityPrivilege	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeBackupPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	2484	forfiles.exe
Token: SeDebugPrivilege	3140	Explorer.EXE
Token: SeBackupPrivilege	3140	Explorer.EXE
Token: SeDebugPrivilege	380	dwm.exe
Token: SeBackupPrivilege	380	dwm.exe
Token: SeShutdownPrivilege	380	dwm.exe
Token: SeCreatePagefilePrivilege	380	dwm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3140	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	63
PID 3516 wrote to memory of 3140	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	63
PID 3516 wrote to memory of 3140	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	63
PID 3516 wrote to memory of 3140	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	63
PID 3516 wrote to memory of 3140	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	63
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3140 wrote to memory of 2484	3140	Explorer.EXE	92
PID 3516 wrote to memory of 628	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	5
PID 3516 wrote to memory of 628	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	5
PID 3516 wrote to memory of 628	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	5
PID 3516 wrote to memory of 628	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	5
PID 3516 wrote to memory of 628	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	5
PID 3516 wrote to memory of 2508	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	99
PID 3516 wrote to memory of 2508	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	99
PID 3516 wrote to memory of 2508	3516	d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe	99
PID 2508 wrote to memory of 2904	2508	cmd.exe	101
PID 2508 wrote to memory of 2904	2508	cmd.exe	101
PID 2508 wrote to memory of 2904	2508	cmd.exe	101
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 4412	2484	forfiles.exe	102
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63
PID 2484 wrote to memory of 3140	2484	forfiles.exe	63

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\Inf\forfiles.exe
  "C:\Windows\Inf\forfiles.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\AxInstUI.exe
    "C:\Windows\system32\AxInstUI.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe
  "C:\Users\Admin\AppData\Local\Temp\d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d659557b55f3a5845e8f1567785753a71f16a2a34107e89292cc749359317e54.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BgEPDYQkDW.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\INF\forfiles.exe

Filesize
51KB

MD5
9bb67aea5e26cb136f23f29cc48d6b9e

SHA1
cabee28f7368aae1ac23f0713e2c330f96af2062

SHA256
9b4886f187489a190bb2c412772c1998539f086c63a4cfd72ff3b107cbc21907

SHA512
ac1ea7be97cadce0abf3b581a97b32cceecdc5e7015704ef6a08e33d47f928aab4758df61efb9856057c09d31629ea080f9525b199daebaa4b945338086411bb

Download Submit
C:\Windows\INF\forfiles.exe

Filesize
51KB

MD5
9bb67aea5e26cb136f23f29cc48d6b9e

SHA1
cabee28f7368aae1ac23f0713e2c330f96af2062

SHA256
9b4886f187489a190bb2c412772c1998539f086c63a4cfd72ff3b107cbc21907

SHA512
ac1ea7be97cadce0abf3b581a97b32cceecdc5e7015704ef6a08e33d47f928aab4758df61efb9856057c09d31629ea080f9525b199daebaa4b945338086411bb

Download Submit
C:\Windows\Kg8JYcAQoZm.sys

Filesize
447KB

MD5
c1dd0c1e6be7f96c80324d963e38d40a

SHA1
0cde3058918d7b487914b46923bd06a0dfc9b628

SHA256
56ef5474236a9bf54ba734f6a069efa70cd0df16e7e414ada88816a834728a3f

SHA512
04c3dca032ebcebab745b34c3bde8b31714e7088505b107f480066f506ef255fe1c46ac325ca2bbfbdc6b0e69e5668089597055c6ad46e7238178dd0fbea39b4

Download Submit
C:\Windows\lQa88Qvjx7.sys

Filesize
415KB

MD5
fa4eaedb79569c030772041dc72194b0

SHA1
c64ad136b4ed21231070e427eacd9a98d8c7c368

SHA256
704abf8f3ab4f9703791b5cd92df31d0bfd4e4e2204340de2c1d6614e527dbda

SHA512
7d1e12120324f0a96af3f4ed2401a09e483ee420c436453708b3e65ba9b7e86ff4c5b4dcd5d84ae4cd5004839f962a37a6a2d738018d3ab512963cfb8985b8d0

Download Submit
C:\Windows\yDNpBge3KO3iwJ.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
memory/380-330-0x000001815F930000-0x000001815F931000-memory.dmp

Filesize
4KB

Download
memory/380-327-0x000001815F7D0000-0x000001815F8F2000-memory.dmp

Filesize
1.1MB

Download
memory/380-328-0x000001815F910000-0x000001815F911000-memory.dmp

Filesize
4KB

Download
memory/380-335-0x000001815F7D0000-0x000001815F8F2000-memory.dmp

Filesize
1.1MB

Download
memory/628-19-0x00000169065A0000-0x00000169065A3000-memory.dmp

Filesize
12KB

Download
memory/628-55-0x0000016906990000-0x0000016906991000-memory.dmp

Filesize
4KB

Download
memory/628-22-0x0000016906960000-0x0000016906988000-memory.dmp

Filesize
160KB

Download
memory/628-21-0x0000016906990000-0x0000016906991000-memory.dmp

Filesize
4KB

Download
memory/2484-46-0x00007FFD20970000-0x00007FFD20980000-memory.dmp

Filesize
64KB

Download
memory/2484-320-0x000001FA5DC50000-0x000001FA5DC51000-memory.dmp

Filesize
4KB

Download
memory/2484-17-0x00007FFD20970000-0x00007FFD20980000-memory.dmp

Filesize
64KB

Download
memory/2484-45-0x000001FA5BA70000-0x000001FA5BB3B000-memory.dmp

Filesize
812KB

Download
memory/2484-87-0x000001FA5CB80000-0x000001FA5CBAE000-memory.dmp

Filesize
184KB

Download
memory/2484-53-0x000001FA5BB80000-0x000001FA5BB81000-memory.dmp

Filesize
4KB

Download
memory/2484-54-0x000001FA5C3E0000-0x000001FA5C3E1000-memory.dmp

Filesize
4KB

Download
memory/2484-16-0x000001FA5BA70000-0x000001FA5BB3B000-memory.dmp

Filesize
812KB

Download
memory/2484-56-0x000001FA5C1D0000-0x000001FA5C1D1000-memory.dmp

Filesize
4KB

Download
memory/2484-319-0x000001FA5CCA0000-0x000001FA5CCA1000-memory.dmp

Filesize
4KB

Download
memory/2484-61-0x000001FA5C3F0000-0x000001FA5C3F1000-memory.dmp

Filesize
4KB

Download
memory/2484-15-0x000001FA5BA70000-0x000001FA5BB3B000-memory.dmp

Filesize
812KB

Download
memory/2484-63-0x000001FA5C920000-0x000001FA5C9D7000-memory.dmp

Filesize
732KB

Download
memory/2484-64-0x000001FA5C910000-0x000001FA5C911000-memory.dmp

Filesize
4KB

Download
memory/2484-65-0x000001FA5CB20000-0x000001FA5CB2F000-memory.dmp

Filesize
60KB

Download
memory/2484-66-0x000001FA5CB80000-0x000001FA5CBAE000-memory.dmp

Filesize
184KB

Download
memory/2484-68-0x000001FA5DC60000-0x000001FA5DE2A000-memory.dmp

Filesize
1.8MB

Download
memory/2484-110-0x000001FA5DFE0000-0x000001FA5E102000-memory.dmp

Filesize
1.1MB

Download
memory/2484-70-0x000001FA5C920000-0x000001FA5C9D7000-memory.dmp

Filesize
732KB

Download
memory/2484-333-0x000001FA5DC40000-0x000001FA5DC41000-memory.dmp

Filesize
4KB

Download
memory/2484-73-0x000001FA5DFE0000-0x000001FA5E102000-memory.dmp

Filesize
1.1MB

Download
memory/2484-76-0x000001FA5C910000-0x000001FA5C911000-memory.dmp

Filesize
4KB

Download
memory/2484-92-0x000001FA5DC60000-0x000001FA5DE2A000-memory.dmp

Filesize
1.8MB

Download
memory/2484-77-0x000001FA5C910000-0x000001FA5C911000-memory.dmp

Filesize
4KB

Download
memory/3140-317-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/3140-6-0x0000000003250000-0x0000000003253000-memory.dmp

Filesize
12KB

Download
memory/3140-336-0x0000000009160000-0x0000000009282000-memory.dmp

Filesize
1.1MB

Download
memory/3140-106-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3140-334-0x0000000009320000-0x0000000009324000-memory.dmp

Filesize
16KB

Download
memory/3140-332-0x0000000009160000-0x0000000009282000-memory.dmp

Filesize
1.1MB

Download
memory/3140-329-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/3140-35-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3140-307-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3140-310-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3140-5-0x0000000003250000-0x0000000003253000-memory.dmp

Filesize
12KB

Download
memory/3140-318-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/3140-13-0x00000000038A0000-0x0000000003997000-memory.dmp

Filesize
988KB

Download
memory/3140-75-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3140-323-0x00000000035A0000-0x00000000035A3000-memory.dmp

Filesize
12KB

Download
memory/3140-326-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3140-11-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3516-0-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-60-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-4-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-3-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-62-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-2-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/3516-1-0x00000000005E0000-0x000000000064C000-memory.dmp

Filesize
432KB

Download
memory/4412-69-0x0000024168B10000-0x0000024168B13000-memory.dmp

Filesize
12KB

Download
memory/4412-71-0x000002416A560000-0x000002416A706000-memory.dmp

Filesize
1.6MB

Download