612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef

Analysis

max time kernel
157s
max time network
136s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 15:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Size

274KB
MD5

feceafeaffad561d722578218c3502d1
SHA1

b0a43b9f963ecfd01d610b0aa0b2a51efe3dedc6
SHA256

612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef
SHA512

a83b8eaa5b87aaf75b4b51c98b72c28574ecd2dc3e8caf3b6fb4dcf221604ab995a5bd535c2c2426e05e7d09e8c20973f20658f5904999c776c9f8308c8dbea7
SSDEEP

6144:3bTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:3PcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\lcPH71Boibzbht.sys	Explorer.EXE
File created	C:\Windows\System32\drivers\rrYPSy00m.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\RQ5PLGVGs5.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\9YKT3NAmiy.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\85hcM73udqYLH.tob	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\W4PRnCVt16JFF.zxo	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\kcLCgCalAyVE.dsf	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\AwlckVpTHZo.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\drivers\zrQWGHfEjY.laq	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/844-0-0x00000000001E0000-0x000000000026C000-memory.dmp	upx
behavioral1/memory/844-65-0x00000000001E0000-0x000000000026C000-memory.dmp	upx
behavioral1/memory/844-254-0x00000000001E0000-0x000000000026C000-memory.dmp	upx
behavioral1/memory/844-579-0x00000000001E0000-0x000000000026C000-memory.dmp	upx
behavioral1/memory/844-635-0x00000000001E0000-0x000000000026C000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a0000000167f8-671.dat	vmprotect
behavioral1/files/0x00180000000167f8-699.dat	vmprotect
behavioral1/files/0x00260000000167f8-728.dat	vmprotect
behavioral1/files/0x00340000000167f8-756.dat	vmprotect

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\cXbMEUdub.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\m18ExA1RfXpaQv.fxg	Explorer.EXE
File opened for modification	C:\Windows\system32\nWhlsfpogzX1I.drw	Explorer.EXE
File opened for modification	C:\Windows\system32\ImW4H6ToCM4.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\bftjy1nEkTCSMC.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\qF3SFNn9kGIg.qfq	Explorer.EXE
File opened for modification	C:\Windows\system32\mmUNmRuij8Rz.sys	Explorer.EXE
File opened for modification	C:\Windows\system32\qJOQEs7Sf1457.acb	Explorer.EXE
File opened for modification	C:\Windows\system32\rC1PM1cfq4XUnI.sys	Explorer.EXE

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\k4zkfG55c9qC.sys	Explorer.EXE
File opened for modification	C:\Program Files\ycJyq9iXv9vz.oae	Explorer.EXE
File opened for modification	C:\Program Files\PXpGkPP9IrIsd8.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\RPIij0FtiaT.gfs	Explorer.EXE
File opened for modification	C:\Program Files\Windows NT\4d57ebe7.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\4nJYbDz0uhUjDk.sys	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\3ddfe9d4.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows NT\3ddfefec.js	Dwm.exe
File opened for modification	C:\Program Files\PQ0VKbagaXR.zoo	Explorer.EXE
File opened for modification	C:\Program Files (x86)\k81ZZBjdm48a.thf	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\5ccfdebe.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows NT\5ccfe7e2.js	Dwm.exe
File opened for modification	C:\Program Files\Windows NT\lib\6c47e3dd.js	Dwm.exe
File opened for modification	C:\Program Files\Uninstall Information\4d57e449.html	Explorer.EXE
File opened for modification	C:\Program Files\Windows NT\manifest.json	Dwm.exe
File opened for modification	C:\Program Files\Uninstall Information\lib\6c47d933.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\ZFufC7qiOsS1.sys	Explorer.EXE
File opened for modification	C:\Program Files\2QEeJl5K4DCd.een	Explorer.EXE
File opened for modification	C:\Program Files\o7tq2dfp5TXc.kpv	Explorer.EXE
File opened for modification	C:\Program Files\NV4kd9oKt0ko.sys	Explorer.EXE
File opened for modification	C:\Program Files\Uninstall Information\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\mgNhP0qLHF.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\kG3HYYUMviy.sys	Explorer.EXE
File opened for modification	C:\Program Files (x86)\iA8QIJYsoKT8TC.ebr	Explorer.EXE
File opened for modification	C:\Program Files (x86)\HqsTZzH4BKDb.yrz	Explorer.EXE
File opened for modification	C:\Program Files (x86)\ytFrcWnqZ9.sys	Explorer.EXE

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hEiobV19p0by.sys	Explorer.EXE
File opened for modification	C:\Windows\7gjtrbHVHbLmr.heu	Explorer.EXE
File opened for modification	C:\Windows\11rpg2UIc1PpAs.sys	Explorer.EXE
File opened for modification	C:\Windows\qYos0FluCNy5PN.yfo	Explorer.EXE
File opened for modification	C:\Windows\2gRoRVSNJz1r.pjf	Explorer.EXE
File opened for modification	C:\Windows\err_844.log	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
File created	C:\Windows\qfeSXrWwp.sys	Explorer.EXE
File opened for modification	C:\Windows\5cERx1oMJ6.sys	Explorer.EXE
File opened for modification	C:\Windows\H4UTFiFUXvfUd.evx	Explorer.EXE
File opened for modification	C:\Windows\DVDPHzAYD0.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1188	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Token: SeTcbPrivilege	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Token: SeDebugPrivilege	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Token: SeDebugPrivilege	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeIncBasePriorityPrivilege	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeBackupPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1236	Dwm.exe
Token: SeBackupPrivilege	1236	Dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1280	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	15
PID 844 wrote to memory of 1280	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	15
PID 844 wrote to memory of 1280	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	15
PID 844 wrote to memory of 1280	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	15
PID 844 wrote to memory of 1280	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	15
PID 844 wrote to memory of 428	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	7
PID 844 wrote to memory of 428	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	7
PID 844 wrote to memory of 428	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	7
PID 844 wrote to memory of 428	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	7
PID 844 wrote to memory of 428	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	7
PID 844 wrote to memory of 2040	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	32
PID 844 wrote to memory of 2040	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	32
PID 844 wrote to memory of 2040	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	32
PID 844 wrote to memory of 2040	844	612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe	32
PID 2040 wrote to memory of 1188	2040	cmd.exe	34
PID 2040 wrote to memory of 1188	2040	cmd.exe	34
PID 2040 wrote to memory of 1188	2040	cmd.exe	34
PID 2040 wrote to memory of 1188	2040	cmd.exe	34
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16
PID 1280 wrote to memory of 1236	1280	Explorer.EXE	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe
  "C:\Users\Admin\AppData\Local\Temp\612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\612572044bd877ecefa2e44f00e638aba7885cc422de3a5392f95ca41d9818ef.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1188

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
b25df32f32093aa5017278dc20341e29

SHA1
721db19673f39ca92f2f35ec7b4cd5cb93d195db

SHA256
c7d060cd2ec76a9699d7e4c34af8271b690b56d2f9a0d54013805bb31fbcabd3

SHA512
e3852ab9f5e0a917a41de5cf508b46daea56ba50fc5246585f9eb4766329beb87d2b610ccc2548be0232087f48dfd2427bc30948fdb754f7e006a2b2c169b0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a9e43827fb0ca7c2858750473ef62701

SHA1
b49ef1c3cbed5cbf1f4e2ab51f1b89d8d9c1275b

SHA256
81baa6040bb7ee6da15cbc5ceb144454b69a5ae919821049ba9890d86de8aaa3

SHA512
b7813d1f8ae227548890223ac522de440ae8106b7e7df93aa3e1d8da3283b1f860334def62ad5fe5d89642606fba6e0e3d5e41fc758d22eecd2afd66a6feb9d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
1c948680791ec4fba211ee0cf39c1e6e

SHA1
c05683ee4831ef05e2b90c20d8c4617c9b424297

SHA256
db11d0f5ff24e306e84492a9c07f7f98db0b66be123f8b3af0dc84d23eb162f2

SHA512
46daf35ad307ad97fad382171a4c3bfe550380208faf75e1861d32304d26014464c21a4975372e896adfe46fe759a63208b12c3a1d37bc996118d38dd2a8c47b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
c8d2278404a52b264330d0fa14282895

SHA1
3c58ebe41525b7f52d791eb991329c67802f56c1

SHA256
021fa14d2ea4d58b6a9939f1120d15656abbcb66ac449a27e3c4ad5ef1d3a495

SHA512
ccf9d1462b34b13186f0cd1159df1d580b39fab3f7a73b65ef7f318a786a4b75b331a0f883db4208320b6253c37454cdc690fae99caa3485a82fec17d32b7665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
408892d06045046603121f77909459a5

SHA1
692313e34554111fe973fb77a5520d6d30fb293b

SHA256
716106623dc18db891d5bd022d98801a254bf44724000421399b6faca3c428d4

SHA512
c111d8924a314a59c33f61f61831c37620da4029baf5ad7083a7a92ad5b617807d4e199b0fae35bbea2cabd071e508e83552bd3b94348f196871ef606d9bde82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c79d503b4995984f5e8497ef0fcfab9

SHA1
98a3c50ecafc54f4ba78a953b03e8b960e5a34dd

SHA256
0fdb519d36f1b551d47fec59b3325f71f642ce61921b218f441cbaa8f8f6c0ce

SHA512
6d09d9c3aa6b9647b1e8096896993cb4d62dc04bed39c769ede600150ff6dab421f4fa04291f41284c33de5c8de7348861eaffe676f6d5d04cec447f2f0f2386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3e39f23c43686c3eb88766f084da2fab

SHA1
9e736568747f11521c3ab86cd119049185389d41

SHA256
a52ca58f03f797e18094d2c2632f6ad2c5929a84f0e39f00c8a819a8c957d4a8

SHA512
ba8862e2afbf81fad0a1166519a1a7b44fd3633e3d88fe9f50426797e9e91197a1c2e1c16d2e8a952d5ab6957180391318653c56f1d4eeff2f7bb19e3c99a5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
c83887e756dc5593a55e19eb3c22b648

SHA1
7b8dc56aaa267685a9b6a7c283a789c9959f3de2

SHA256
84f03b61b28998b8388127b4d9e3b40253641b927de2e87acec4cd207039f851

SHA512
04ce736a6b68d0f0d94207cb121ea99312053bac9d31293bda50c7eba27d991c8712f364fefe8e5064d4a641306cb704ae5eb5da584da3463d99fc307ea5d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77E0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7B3D.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\11rpg2UIc1PpAs.sys

Filesize
447KB

MD5
6208d7fad9edc996844c827bf5743f7b

SHA1
8fd17442919d95b64471cf44db7be9d99a66e4fb

SHA256
3bd7f0ec5f5c6748f15054eac6f01b32500aa57cc610e074aebf81c29d43d954

SHA512
3465a58fd100bf251663d86168fdb67b0f6ebc9e7cf4727c6e8cf207828872f4264b52efe0aaf4d084f0536fe1df9d2e3ba31d7d0ba1e17d2f8155f025bb4091

Download Submit
C:\Windows\5cERx1oMJ6.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\DVDPHzAYD0.sys

Filesize
415KB

MD5
bad2f9bfa44df16202ec813e7afd2f7c

SHA1
a92f63b526e6611cdc0a46955681d0a478a23519

SHA256
22d508fec4b6eb90e77077843116c3dc90b4f79872048dde998e02a718712e61

SHA512
4bd668c2ef7e7392ae86cba0a71d73df1d1c8b75715e99944f63bdefcdce20b787592b75b3d2c87022be68f8de47e0adac3ba088b4d11c02ed95231c500c2681

Download Submit
C:\Windows\hEiobV19p0by.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
memory/428-592-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/428-594-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download
memory/428-650-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download
memory/844-0-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/844-635-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/844-65-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/844-254-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/844-579-0x00000000001E0000-0x000000000026C000-memory.dmp

Filesize
560KB

Download
memory/1236-792-0x0000000001C20000-0x0000000001C23000-memory.dmp

Filesize
12KB

Download
memory/1236-782-0x0000000001AD0000-0x0000000001B7A000-memory.dmp

Filesize
680KB

Download
memory/1236-802-0x0000000001F40000-0x0000000001FEF000-memory.dmp

Filesize
700KB

Download
memory/1236-796-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/1236-793-0x0000000001C20000-0x0000000001C23000-memory.dmp

Filesize
12KB

Download
memory/1236-794-0x0000000001F40000-0x0000000001FEF000-memory.dmp

Filesize
700KB

Download
memory/1236-791-0x0000000001C20000-0x0000000001C23000-memory.dmp

Filesize
12KB

Download
memory/1236-789-0x0000000001C20000-0x0000000001C23000-memory.dmp

Filesize
12KB

Download
memory/1280-587-0x0000000006B40000-0x0000000006BF1000-memory.dmp

Filesize
708KB

Download
memory/1280-781-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-652-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1280-583-0x0000000002A40000-0x0000000002A43000-memory.dmp

Filesize
12KB

Download
memory/1280-585-0x0000000002A40000-0x0000000002A43000-memory.dmp

Filesize
12KB

Download
memory/1280-649-0x0000000006B40000-0x0000000006BF1000-memory.dmp

Filesize
708KB

Download
memory/1280-714-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-648-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download
memory/1280-646-0x0000000037040000-0x0000000037050000-memory.dmp

Filesize
64KB

Download
memory/1280-776-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-779-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-780-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-783-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-785-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-586-0x0000000002A40000-0x0000000002A43000-memory.dmp

Filesize
12KB

Download
memory/1280-589-0x0000000006B40000-0x0000000006BF1000-memory.dmp

Filesize
708KB

Download
memory/1280-590-0x000007FEBEF30000-0x000007FEBEF40000-memory.dmp

Filesize
64KB

Download
memory/1280-651-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1280-636-0x0000000006B40000-0x0000000006BF1000-memory.dmp

Filesize
708KB

Download
memory/1280-657-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-656-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1280-795-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-798-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/1280-797-0x00000000065E0000-0x00000000065E4000-memory.dmp

Filesize
16KB

Download
memory/1280-654-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-799-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-800-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-801-0x0000000006530000-0x00000000065DF000-memory.dmp

Filesize
700KB

Download
memory/1280-653-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download