599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
23/11/2023, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Size

223KB
MD5

1781c76fe559d90b86da07f8eeebb23e
SHA1

2ff8f740a28b18a151835773a85ec9441e33e77d
SHA256

599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a
SHA512

43ec8cee741279f33129913a607db70c3eba44cf837ea0116916298734570cf1d48bd0d701644610f96afc412c1cab3173300f98b79a6f87a59dadf53ff31b5a
SSDEEP

6144:7wPSUONLNsuWA7koN+boRN3i4CbRcyXLAE:7OuW5o/+Rc

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\Bjx2C6gx.sys	Explorer.EXE
File created	C:\Windows\System32\drivers\5hUK1AS.sys	shadow.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "146944"	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
1800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	shadow.exe

Loads dropped DLL 1 IoCs

pid	Process
1208	Explorer.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000CB0000-0x0000000000D1E000-memory.dmp	upx
behavioral1/memory/2940-1-0x0000000000CB0000-0x0000000000D1E000-memory.dmp	upx
behavioral1/memory/2940-97-0x0000000000CB0000-0x0000000000D1E000-memory.dmp	upx
behavioral1/memory/2940-99-0x0000000000CB0000-0x0000000000D1E000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\GujRFpr0.sys	shadow.exe
File created	C:\Windows\system32\ \Windows\System32\HjQx5a.sys	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\shadow.exe	Explorer.EXE
File opened for modification	C:\Program Files\Common Files\shadow.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MIbcI7dwg.sys	shadow.exe
File created	C:\Windows\lnIMqgkFm.sys	Explorer.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
692	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	Explorer.EXE

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	shadow.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shadow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	shadow.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	shadow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	shadow.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Token: SeTcbPrivilege	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Token: SeDebugPrivilege	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Token: SeDebugPrivilege	2700	shadow.exe
Token: SeDebugPrivilege	2700	shadow.exe
Token: SeDebugPrivilege	2700	shadow.exe
Token: SeIncBasePriorityPrivilege	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1208	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	14
PID 2940 wrote to memory of 1208	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	14
PID 2940 wrote to memory of 1208	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	14
PID 2940 wrote to memory of 1208	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	14
PID 2940 wrote to memory of 1208	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	14
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2700	1208	Explorer.EXE	28
PID 2940 wrote to memory of 424	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	3
PID 2940 wrote to memory of 424	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	3
PID 2940 wrote to memory of 424	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	3
PID 2940 wrote to memory of 424	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	3
PID 2940 wrote to memory of 424	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	3
PID 2940 wrote to memory of 1800	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	31
PID 2940 wrote to memory of 1800	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	31
PID 2940 wrote to memory of 1800	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	31
PID 2940 wrote to memory of 1800	2940	599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe	31
PID 1800 wrote to memory of 692	1800	cmd.exe	34
PID 1800 wrote to memory of 692	1800	cmd.exe	34
PID 1800 wrote to memory of 692	1800	cmd.exe	34
PID 1800 wrote to memory of 692	1800	cmd.exe	34

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe
  "C:\Users\Admin\AppData\Local\Temp\599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\599a81d9341df0b2b3afb39660432209ee2b5a17093e54335bb0f2decbd3d56a.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:692
- C:\Program Files\Common Files\shadow.exe
  "C:\Program Files\Common Files\shadow.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\shadow.exe

Filesize
21KB

MD5
c92170f5ffab62a94d5435ad5259f30a

SHA1
ab8b2069cc46598bd1be09d7997717ef01c2fce6

SHA256
8412c442f961a20c7dd1d1a9deafab3b00433d9f6d3d8e7bc796259775bd5f19

SHA512
75e02466b99bf9845fd7e32550e6ca5f0c76c1f37c04b9c3d4d65ec056829c3f38f52d204184ad557247024000a0a5de14b9cf3a389015489c5c2a0df52fcc0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
e375de8ddb841fb8499fc4545685251a

SHA1
806f378ed971e9c95cba8a19a0e727d4b9f09565

SHA256
6e51af81a183e4a14518743c951d95c31aa8e5b3dbf8fec33e10b4778cb2b087

SHA512
dd7389467917191ba82cb447d545667521ac3539950c3685976c0439419fc0235a353f5e3172f1255c086abe3073d5e967907dd647bc5f0898e15984882f557c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
1KB

MD5
6d081ca365bc3f726ac902852a924179

SHA1
3d19b35f28bae7a0aed65da032db2e91644a3da5

SHA256
887a147733c2a13409b79dd48f3d3ed3729a6d3ab1747d3343b42f7403f6c400

SHA512
1419be1acd325ff1e17331d56ae4f746d103828e8974062b32a1d07e9899856f9b03c48872ca4250e7520b7f5bfb1d85498bd9c2af5d1ed13d94d4d5a168e37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
f9b2136095cd9f6962acf30db0f88ea3

SHA1
ee733a92d268ed2b6176fffd163217e8ce149867

SHA256
44d4b3026737e36fc0ed6016bc8298c20613cb605a5c7912cde92fe90d02ffa1

SHA512
b74c0f4bd93fb8864df9395e45d60e22c92dc37378ce52174633f92e2c29970d5e9de25159f52980303664d62c940bfea332572b0ef2087df4b1b3bb246a43b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475

Filesize
471B

MD5
3d9e06560347f60c10fbadc8d750778f

SHA1
10898837167ca09dc1fd9b5a1d4a8d9654fd844b

SHA256
c6a316bedf5fe0e5536500dcdd3f3cea2c024503bffbd503af2aabbd05630e62

SHA512
f4bbb7dd4d981db40735c85838a289812bac7982b955ba4cf9d2432883a585d3f0ca4cb72aea0fd090f7291a02da9bc55c67b8bbd4be468fd7a8dc07a1965c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
33a920bd9ca7e82252d94d04950bb80d

SHA1
b9b82b8a5f7c9c8e76c9eec86a8e6a7e44645ef1

SHA256
6f2728854f62d3df499929a501d6502bfadca9989f1750c4a7ffc983680406de

SHA512
7d08049cfd3e9e50dca8bdbe47ab26f6ccfdc637dbec7f0c7413287374300e253c3b0e861369ac1da57d5da972a1e26e1745744366a33c5d794602a42f971543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
4ec3e8adc84462635943ee21273ad60a

SHA1
2b36b179cff6b4e99bf66dff777447509ba91be4

SHA256
1bb563470d29db937d97aae1f6a9ea2f13abc4e40d204520eeac24437f984d1f

SHA512
ee1c5cc1080dc454fa9e80f692dc1b8e2ae3a3bc7c3e3da1e5bbd160686658cf0bf4f7cce49ad6116e26f915ae9be7e3737b6af5951c8010412f88718cdcd0cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
540B

MD5
581faea577bffeb0aa97db6a5a60e79a

SHA1
a70d0b7187e21a374abdb2e4c4ba353d90848d06

SHA256
574700da05b7cf4f27d0db34d8bb6ced1d1badbc4b5ce9ae59453efdc9cdd1cc

SHA512
5d41958c7474fda9dea854c8d2faf591497d8fbb59ba900af435fdfe3985eaa0b6b91f30d7ae6248f12a0a05889ceb1504e100a715e5df769409d5ce105887e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
3a6d5737d7f9eb9b31388949dc158f9c

SHA1
07e653d4480b179e03f1752029ef9178083a28b6

SHA256
725da847f97ef8eac9bb66ba548694b43f5d061d251752f16190a60ac990faf5

SHA512
d1f10df1ad40a27751ef723cc1bd5f38ed6fd306c272fc8bfac7dc9c873aff09ae390b7816dac135ae61448c3d945d114440769f1d847d4ab4aeb3b7da5bbb3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31506fa6307eacf6a2e3540bd59ff8d9

SHA1
71048f764f5d4643bcdf2c36699d3e7530140a34

SHA256
8ccf22ccde112d54b8927d3264c797122891e2be5d90921ace05e1a5c50341b9

SHA512
ff3478a704f2642272d46813217978c60f7c3e49ba540a5d20cd25a1befa1ac458196fc2ea9b3baab2eafe688852b7070dfe39eca16652da43a1c7e5ade49746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc17e050bcfa35d89e9e7b88d13fdbd3

SHA1
f1008133ca11534461ede2adc50bb988a9aff4df

SHA256
ad8b4021d170f300789b97ba4a44145c85266392139fb4d5983a384047393eb5

SHA512
8238744c581d980fa442f2b0afd6b7178b444d89486fab79795eaa30f14aaa0280883bbfabdf92105c2a6e28a80026e84356589c002721e596730d7680ba7e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475

Filesize
398B

MD5
04d598640bb0bcdc1c5db3b34f2885a5

SHA1
1e9b93c6671deb2903cd152b20a8a42fd817c969

SHA256
fba855a5e42edef90b5a1ed541976a9177964aedf30cac822d7e95f320c6a9a7

SHA512
9c30bf1eaefa2daa73ebe1b9b2ab1520ff1ff43262e8b82a678e9b5b8296c4644d2d54672d53b3ad8fccd7c511fb486487621c85389db251b37cb979a7629ede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
5b7cf9016e7f0de29a4d9a3f5f5ffc1c

SHA1
d7d31035f6a1868e6abae4b4fabf3a3e45789b84

SHA256
8be6c578b15e64778b8dc4681c2a0d42f4bd31ba60bd16f8749ff0705effbb83

SHA512
9aa38c6691dba3810c23993470bf7828061e8d6c88ce5cdf70ffa99e5e3c83e1f8805cac5bd2d4bb4895ec977783c4e9451b1fe06e6b92dc5ac82407a36efe52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab892F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA0D2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Program Files\Common Files\shadow.exe

Filesize
21KB

MD5
c92170f5ffab62a94d5435ad5259f30a

SHA1
ab8b2069cc46598bd1be09d7997717ef01c2fce6

SHA256
8412c442f961a20c7dd1d1a9deafab3b00433d9f6d3d8e7bc796259775bd5f19

SHA512
75e02466b99bf9845fd7e32550e6ca5f0c76c1f37c04b9c3d4d65ec056829c3f38f52d204184ad557247024000a0a5de14b9cf3a389015489c5c2a0df52fcc0f

Download Submit
memory/424-46-0x00000000004B0000-0x00000000004B3000-memory.dmp

Filesize
12KB

Download
memory/424-48-0x00000000004C0000-0x00000000004E8000-memory.dmp

Filesize
160KB

Download
memory/1208-149-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1208-156-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-261-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1208-260-0x00000000099E0000-0x0000000009A80000-memory.dmp

Filesize
640KB

Download
memory/1208-174-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-172-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-98-0x0000000004DC0000-0x0000000004EB7000-memory.dmp

Filesize
988KB

Download
memory/1208-170-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-101-0x0000000004DC0000-0x0000000004EB7000-memory.dmp

Filesize
988KB

Download
memory/1208-168-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-166-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-114-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/1208-116-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/1208-118-0x000007FEBE130000-0x000007FEBE140000-memory.dmp

Filesize
64KB

Download
memory/1208-164-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-162-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-160-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-158-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-23-0x0000000004DC0000-0x0000000004EB7000-memory.dmp

Filesize
988KB

Download
memory/1208-21-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

Filesize
12KB

Download
memory/1208-22-0x0000000004DC0000-0x0000000004EB7000-memory.dmp

Filesize
988KB

Download
memory/1208-20-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

Filesize
12KB

Download
memory/1208-19-0x0000000002BB0000-0x0000000002BB3000-memory.dmp

Filesize
12KB

Download
memory/1208-154-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/1208-142-0x0000000037C10000-0x0000000037C20000-memory.dmp

Filesize
64KB

Download
memory/1208-144-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/1208-145-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/1208-146-0x0000000003B00000-0x0000000003B0F000-memory.dmp

Filesize
60KB

Download
memory/1208-148-0x00000000099E0000-0x0000000009A80000-memory.dmp

Filesize
640KB

Download
memory/1208-147-0x00000000099E0000-0x0000000009A80000-memory.dmp

Filesize
640KB

Download
memory/1208-151-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/1208-153-0x00000000049B0000-0x0000000004A7B000-memory.dmp

Filesize
812KB

Download
memory/2700-39-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2700-40-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

Filesize
812KB

Download
memory/2700-43-0x000007FEBE130000-0x000007FEBE140000-memory.dmp

Filesize
64KB

Download
memory/2700-27-0x0000000000150000-0x0000000000213000-memory.dmp

Filesize
780KB

Download
memory/2700-29-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2700-35-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2700-44-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

Filesize
812KB

Download
memory/2700-102-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

Filesize
812KB

Download
memory/2700-41-0x0000000001DC0000-0x0000000001E8B000-memory.dmp

Filesize
812KB

Download
memory/2700-100-0x0000000037C10000-0x0000000037C20000-memory.dmp

Filesize
64KB

Download
memory/2940-97-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

Filesize
440KB

Download
memory/2940-1-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

Filesize
440KB

Download
memory/2940-0-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

Filesize
440KB

Download
memory/2940-99-0x0000000000CB0000-0x0000000000D1E000-memory.dmp

Filesize
440KB

Download