2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2023, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Size

625KB
MD5

1397cf8d91b63946171a9133d5e9cec7
SHA1

1a1acbeb404dc06a8a50247480059dbb4e6ea41e
SHA256

2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7
SHA512

ea8bf3b87c6cc7113a85744dfd5fe8bc493c8becb5cde726fa6a5dd78a95fba523b5d55b0110b35ea423a97c7f65f1f3249f18cadb2d7f668e7e928770ee3e93
SSDEEP

6144:YZmsQhU+bZVx5rLKJzu6gLP44ZwcDy/qF6cEOkCybEaQRXr9HNdvOapLj7iq2zr3:8UF30Ngj44ecDyfOkx2LIapLyV

Score

10^/10

vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3312 created 620	3312	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\JHyDYXb4DBz.jlg	tskill.exe
File opened for modification	C:\Windows\system32\drivers\7d7VVVoqXV0t.vfz	tskill.exe
File opened for modification	C:\Windows\system32\drivers\nkCttQJWpSp.sys	tskill.exe
File opened for modification	C:\Windows\system32\drivers\Lb5e1yB08qT.eyp	tskill.exe
File opened for modification	C:\Windows\system32\drivers\o3Rm5V31F7.sys	tskill.exe
File created	C:\Windows\System32\drivers\c2zUtE8.sys	tskill.exe
File opened for modification	C:\Windows\system32\drivers\3OtzWsxaRB9.sys	tskill.exe
File opened for modification	C:\Windows\system32\drivers\Zn2YcDJHwuLN.sys	tskill.exe
File opened for modification	C:\Windows\system32\drivers\dy4AZx5dCAiZ.pft	tskill.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	tskill.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000a000000022e36-84.dat	vmprotect
behavioral2/files/0x0018000000022e36-142.dat	vmprotect
behavioral2/files/0x0026000000022e36-198.dat	vmprotect
behavioral2/files/0x0034000000022e36-254.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\aEfOnDzLsK97.ilx	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tskill.exe
File opened for modification	C:\Windows\system32\xz3QUH7EDEWo.sys	tskill.exe
File opened for modification	C:\Windows\system32\IIiSge6sOxsx2.sys	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tskill.exe
File opened for modification	C:\Windows\system32\jcwl0u4g7oGr.kcr	tskill.exe
File opened for modification	C:\Windows\system32\KYZvYJ3FngOxor.zet	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	tskill.exe
File created	C:\Windows\system32\ \Windows\System32\u0X7uf.sys	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tskill.exe
File opened for modification	C:\Windows\system32\ubQ5CpmessJIm2.nob	tskill.exe
File opened for modification	C:\Windows\system32\qNt6MXzfIkfgJ.sys	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tskill.exe
File opened for modification	C:\Windows\system32\sjKEAnz2jFv.sys	tskill.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\z8UV838nTW9.hmu	tskill.exe
File opened for modification	C:\Program Files\l1yfEOL86SX.jpr	tskill.exe
File opened for modification	C:\Program Files\ntG76YcnrH.sys	tskill.exe
File opened for modification	C:\Program Files (x86)\ryiDB840xMVsF8.sys	tskill.exe
File opened for modification	C:\Program Files\Windows Security\47b8a80c.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\gM8b7JAwlX7.ohn	tskill.exe
File opened for modification	C:\Program Files (x86)\lU8564uNOk.sys	tskill.exe
File opened for modification	C:\Program Files\ycSDDWMAKpcng.sys	tskill.exe
File opened for modification	C:\Program Files (x86)\EWjNxT6IRXIyHr.sys	tskill.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\manifest.json	tskill.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\47b8a80c.html	tskill.exe
File opened for modification	C:\Program Files\Y5ePZbu2ysBIb.ndz	tskill.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\39608670.js	tskill.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\lib\6468eb44.js	tskill.exe
File opened for modification	C:\Program Files\mJglGZDOfwW7Ee.sys	tskill.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\5610c9a8.js	tskill.exe
File opened for modification	C:\Program Files\Windows Security\lib\6468eb44.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\8Ln1GJh89Iv.ltm	tskill.exe
File opened for modification	C:\Program Files (x86)\zykjpWXZNRVO4A.rum	tskill.exe
File opened for modification	C:\Program Files\VFYPFXHNOL.sys	tskill.exe
File opened for modification	C:\Program Files (x86)\jHPnnuvluODl.sys	tskill.exe
File opened for modification	C:\Program Files\TywtdrvquT7.ykf	tskill.exe
File opened for modification	C:\Program Files\Windows Security\39608670.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Security\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files (x86)\2Erg0EBn9tPV.pjn	tskill.exe
File opened for modification	C:\Program Files\Windows Security\5610c9a8.js	Explorer.EXE

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\26rsYZF58Zu4.djy	tskill.exe
File opened for modification	C:\Windows\Vdt7J4faREdsB9.yjp	tskill.exe
File opened for modification	C:\Windows\Ser2yJLhpDes2.sys	tskill.exe
File opened for modification	C:\Windows\Inf\tskill.exe	Explorer.EXE
File opened for modification	C:\Windows\8n3mGQ0A0LwkKW.sys	tskill.exe
File opened for modification	C:\Windows\bvPqBzPF8I.sys	tskill.exe
File opened for modification	C:\Windows\nWeMWwdSlxO.sqf	tskill.exe
File opened for modification	C:\Windows\PEqiZ51FATyYmH.sys	tskill.exe
File opened for modification	C:\Windows\uFu6oCMznX.bez	tskill.exe
File created	C:\Windows\Inf\tskill.exe	Explorer.EXE
File created	C:\Windows\q8X7kz.sys	tskill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tskill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tskill.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	tskill.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4344	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tskill.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tskill.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tskill.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tskill.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tskill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe
3984	tskill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3312	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Token: SeTcbPrivilege	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Token: SeDebugPrivilege	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Token: SeDebugPrivilege	3312	Explorer.EXE
Token: SeDebugPrivilege	3312	Explorer.EXE
Token: SeDebugPrivilege	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeIncBasePriorityPrivilege	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeBackupPrivilege	3984	tskill.exe
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeDebugPrivilege	3984	tskill.exe
Token: SeDebugPrivilege	3312	Explorer.EXE
Token: SeBackupPrivilege	3312	Explorer.EXE
Token: SeDebugPrivilege	60	dwm.exe
Token: SeBackupPrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3312	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3312	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3312	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	42
PID 3948 wrote to memory of 3312	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	42
PID 3948 wrote to memory of 3312	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	42
PID 3948 wrote to memory of 3312	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	42
PID 3948 wrote to memory of 3312	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	42
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3312 wrote to memory of 3984	3312	Explorer.EXE	94
PID 3948 wrote to memory of 620	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	3
PID 3948 wrote to memory of 620	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	3
PID 3948 wrote to memory of 620	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	3
PID 3948 wrote to memory of 620	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	3
PID 3948 wrote to memory of 620	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	3
PID 3948 wrote to memory of 3832	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	99
PID 3948 wrote to memory of 3832	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	99
PID 3948 wrote to memory of 3832	3948	2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe	99
PID 3832 wrote to memory of 4344	3832	cmd.exe	101
PID 3832 wrote to memory of 4344	3832	cmd.exe	101
PID 3832 wrote to memory of 4344	3832	cmd.exe	101
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42
PID 3984 wrote to memory of 3312	3984	tskill.exe	42

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\Inf\tskill.exe
  "C:\Windows\Inf\tskill.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe
  "C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2da8e90dd0a8b97173c4d0084eb3735c6a9f86018b4ba528477087dc367d79d7.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\8n3mGQ0A0LwkKW.sys

Filesize
165KB

MD5
5beef048872e9115c4ad0464037d9bcb

SHA1
c3aadb76c322cbf2904b7f94db8648b17bf9647a

SHA256
2a1ddd0e0f720a58834966955afd0906f79a4abcaf65bd9c925961b488b3a6aa

SHA512
a178012406bb7820dd6a40cbd78b27abbf9ec478660bb0a559137a644134b56e7fd8e0aa837fa73e78fcf270c69db2d998f42c277298bc0afa14e3f31e602868

Download Submit
C:\Windows\INF\tskill.exe

Filesize
24KB

MD5
2393d4f762fb671d92a59388109c24d4

SHA1
2e27346b7cff97619923c3e3199e68e7b91d142b

SHA256
8d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56

SHA512
9eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758

Download Submit
C:\Windows\Inf\tskill.exe

Filesize
24KB

MD5
2393d4f762fb671d92a59388109c24d4

SHA1
2e27346b7cff97619923c3e3199e68e7b91d142b

SHA256
8d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56

SHA512
9eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758

Download Submit
C:\Windows\PEqiZ51FATyYmH.sys

Filesize
165KB

MD5
240fe254754a2fe23cfb1dfb7ab292d9

SHA1
dd4945ee3955c1bb1e2a54aa13a235b41ffae57a

SHA256
466fdedb0a54e3502f3d1a8cac0646729c55f17a808fcfb51c8cb489012fa978

SHA512
5a418e34ba794c11203a174e47f1a822b42efd452d3bcf1a6e656f6b970a08f1e4b42d1aab08866f5b08348114343803a8baa47946d725bfdde069757099a739

Download Submit
C:\Windows\Ser2yJLhpDes2.sys

Filesize
165KB

MD5
9a94d69f8a86357d5ed8f062334c2c60

SHA1
11f2b863f02a4af2e9c3cedaaf7955beeb0ca4e8

SHA256
de0f3496ebdd9870413fb60fce4f36fb7aa5f8dc4dda4341634978c931aa62b7

SHA512
72a08c144fc6c34d879016dfc85f8140d22a6cb47a4904e3140b70657936388cc71b5639ab2f0d86c3def9a5cd38abf66f98180fd53f6f86ef506aaf0f3eee21

Download Submit
C:\Windows\bvPqBzPF8I.sys

Filesize
165KB

MD5
a9147d9136c83671340463124184052c

SHA1
e6cb150312bc325ff89030b75ba9c5da9bd24760

SHA256
ca5e6188650898e3481ba599a737bb8bf3ad23e2bfffb15a34e55b5fc3e36188

SHA512
9aa4f70a8399a9e56ceedf418e77d1cc731a05fa53d25667604f11500211c643486ceb79b6f8ddcda52955d7da0083838d103992ae77770695aba1b7eb2cd009

Download Submit
memory/60-313-0x0000023459930000-0x0000023459934000-memory.dmp

Filesize
16KB

Download
memory/60-311-0x0000023459920000-0x0000023459921000-memory.dmp

Filesize
4KB

Download
memory/60-310-0x00000234597E0000-0x0000023459903000-memory.dmp

Filesize
1.1MB

Download
memory/60-323-0x00000234597E0000-0x0000023459903000-memory.dmp

Filesize
1.1MB

Download
memory/620-59-0x000001F846310000-0x000001F846311000-memory.dmp

Filesize
4KB

Download
memory/620-14-0x000001F8462A0000-0x000001F8462A3000-memory.dmp

Filesize
12KB

Download
memory/620-17-0x000001F846310000-0x000001F846311000-memory.dmp

Filesize
4KB

Download
memory/620-16-0x000001F8462B0000-0x000001F8462D8000-memory.dmp

Filesize
160KB

Download
memory/620-58-0x000001F8462B0000-0x000001F8462D8000-memory.dmp

Filesize
160KB

Download
memory/3312-308-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3312-50-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3312-1-0x0000000002350000-0x0000000002353000-memory.dmp

Filesize
12KB

Download
memory/3312-322-0x0000000008840000-0x0000000008963000-memory.dmp

Filesize
1.1MB

Download
memory/3312-317-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3312-315-0x0000000008970000-0x0000000008974000-memory.dmp

Filesize
16KB

Download
memory/3312-52-0x00000000083D0000-0x00000000084C7000-memory.dmp

Filesize
988KB

Download
memory/3312-316-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3312-312-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3312-6-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3312-314-0x00000000029C0000-0x00000000029C3000-memory.dmp

Filesize
12KB

Download
memory/3312-8-0x00000000083D0000-0x00000000084C7000-memory.dmp

Filesize
988KB

Download
memory/3312-309-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3312-66-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3312-0-0x0000000002350000-0x0000000002353000-memory.dmp

Filesize
12KB

Download
memory/3984-64-0x000001BA7A9C0000-0x000001BA7A9C1000-memory.dmp

Filesize
4KB

Download
memory/3984-12-0x000001BA79000000-0x000001BA790CB000-memory.dmp

Filesize
812KB

Download
memory/3984-95-0x000001BA7BCE0000-0x000001BA7BEA5000-memory.dmp

Filesize
1.8MB

Download
memory/3984-127-0x000001BA7E180000-0x000001BA7E2A3000-memory.dmp

Filesize
1.1MB

Download
memory/3984-49-0x000001BA7A9B0000-0x000001BA7A9B1000-memory.dmp

Filesize
4KB

Download
memory/3984-48-0x00007FFEB5DA0000-0x00007FFEB5DB0000-memory.dmp

Filesize
64KB

Download
memory/3984-9-0x000001BA79000000-0x000001BA790CB000-memory.dmp

Filesize
812KB

Download
memory/3984-11-0x00007FFEB5DA0000-0x00007FFEB5DB0000-memory.dmp

Filesize
64KB

Download
memory/3984-295-0x000001BA7E330000-0x000001BA7E331000-memory.dmp

Filesize
4KB

Download
memory/3984-303-0x000001BA00EB0000-0x000001BA00FD0000-memory.dmp

Filesize
1.1MB

Download
memory/3984-306-0x000001BA00EB0000-0x000001BA00FD3000-memory.dmp

Filesize
1.1MB

Download
memory/3984-68-0x000001BA7BCD0000-0x000001BA7BCD1000-memory.dmp

Filesize
4KB

Download
memory/3984-67-0x000001BA7E180000-0x000001BA7E2A3000-memory.dmp

Filesize
1.1MB

Download
memory/3984-69-0x000001BA7A9E0000-0x000001BA7A9E1000-memory.dmp

Filesize
4KB

Download
memory/3984-53-0x000001BA7A9E0000-0x000001BA7A9E1000-memory.dmp

Filesize
4KB

Download
memory/3984-62-0x000001BA7A9D0000-0x000001BA7A9D1000-memory.dmp

Filesize
4KB

Download
memory/3984-61-0x000001BA7A9B0000-0x000001BA7A9B1000-memory.dmp

Filesize
4KB

Download
memory/3984-60-0x000001BA7BCE0000-0x000001BA7BEA5000-memory.dmp

Filesize
1.8MB

Download
memory/3984-51-0x000001BA7A9C0000-0x000001BA7A9C1000-memory.dmp

Filesize
4KB

Download
memory/3984-56-0x000001BA79110000-0x000001BA79111000-memory.dmp

Filesize
4KB

Download
memory/3984-57-0x000001BA7A9C0000-0x000001BA7A9C1000-memory.dmp

Filesize
4KB

Download
memory/3984-318-0x000001BA7E330000-0x000001BA7E331000-memory.dmp

Filesize
4KB

Download
memory/3984-319-0x000001BA7E490000-0x000001BA7E491000-memory.dmp

Filesize
4KB

Download
memory/3984-320-0x000001BA00EB0000-0x000001BA00FD0000-memory.dmp

Filesize
1.1MB

Download
memory/3984-321-0x000001BA00EB0000-0x000001BA00FD3000-memory.dmp

Filesize
1.1MB

Download
memory/3984-55-0x000001BA79000000-0x000001BA790CB000-memory.dmp

Filesize
812KB

Download
memory/3984-54-0x000001BA7A9D0000-0x000001BA7A9D1000-memory.dmp

Filesize
4KB

Download