Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 23:59
Behavioral task
behavioral1
Sample
a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe
Resource
win7-20231023-en
windows7-x64
21 signatures
150 seconds
General
-
Target
a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe
-
Size
223KB
-
MD5
8d3f2f53848fd102286d88695f8a223a
-
SHA1
6c1990c0d2a15bdd6d259122f4341f5f9c23281b
-
SHA256
a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f
-
SHA512
f5ce8c099b0e50ed1cf217281ab7d0e3900415ad43fb4d9dac8a06aad9700585394f0d29d4c4c747e398f00d7de50e79b2730560bdd9015c792f7e3e6cefd80e
-
SSDEEP
3072:QZ7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:YwPSUONLNsuWA7koN+boRi9S6oiz72D
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3104 created 628 3104 Explorer.EXE 4 -
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\9eHhtRmDla3.sys AxInstUI.exe File opened for modification C:\Windows\system32\drivers\3wDjMk657RO3j.sys AxInstUI.exe File opened for modification C:\Windows\system32\drivers\petK0VDhGFTyJ.sys AxInstUI.exe File opened for modification C:\Windows\system32\drivers\Nu3cyXJVYdx.dwc AxInstUI.exe File created C:\Windows\System32\drivers\dRHQfW.sys AxInstUI.exe File opened for modification C:\Windows\system32\drivers\TBAqL4uQMq.ygj AxInstUI.exe File opened for modification C:\Windows\system32\drivers\MBu5YLbAJLZSmy.sys AxInstUI.exe File opened for modification C:\Windows\system32\drivers\kDQ95UaPkh.cue AxInstUI.exe File opened for modification C:\Windows\system32\drivers\BFHmzFzDZCKPa5.sgm AxInstUI.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe -
Executes dropped EXE 1 IoCs
pid Process 3872 AxInstUI.exe -
resource yara_rule behavioral2/memory/3936-0-0x0000000000420000-0x000000000048E000-memory.dmp upx behavioral2/memory/3936-24-0x0000000000420000-0x000000000048E000-memory.dmp upx behavioral2/memory/3936-51-0x0000000000420000-0x000000000048E000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x000c000000022e10-101.dat vmprotect behavioral2/files/0x001a000000022e10-162.dat vmprotect behavioral2/files/0x0028000000022e10-218.dat vmprotect behavioral2/files/0x0034000000022e10-274.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\cN8uDBHPXo9Np.hva AxInstUI.exe File opened for modification C:\Windows\system32\NQLcDmrSYNLJhG.sys AxInstUI.exe File opened for modification C:\Windows\system32\Ui2DCpBN3CHD0.eqt AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 AxInstUI.exe File created C:\Windows\system32\ \Windows\System32\gadZwHPx.sys AxInstUI.exe File opened for modification C:\Windows\system32\b0LrTCDoqmpPD.ntu AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 AxInstUI.exe File opened for modification C:\Windows\system32\11tjqaiwgdKK.sys AxInstUI.exe File opened for modification C:\Windows\system32\ZQsINinN985.sys AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 AxInstUI.exe File opened for modification C:\Windows\system32\2QVKIPad19i.sys AxInstUI.exe File opened for modification C:\Windows\system32\FqmJqI1fQRPk1.aul AxInstUI.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E AxInstUI.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Multimedia Platform\561249d2.js Explorer.EXE File opened for modification C:\Program Files\Windows Media Player\manifest.json AxInstUI.exe File opened for modification C:\Program Files\Windows Media Player\47b9dce5.html AxInstUI.exe File opened for modification C:\Program Files\Windows Multimedia Platform\manifest.json Explorer.EXE File opened for modification C:\Program Files\xL0jddT0EJoS.zkv AxInstUI.exe File opened for modification C:\Program Files\Windows Multimedia Platform\lib\646aab75.js Explorer.EXE File opened for modification C:\Program Files\9W6gQs5oWx.sys AxInstUI.exe File opened for modification C:\Program Files (x86)\zc44halkgwI2oa.kle AxInstUI.exe File opened for modification C:\Program Files\p2bcVSg0THJr.xvy AxInstUI.exe File opened for modification C:\Program Files (x86)\6RM8u2nDRBDjO.sys AxInstUI.exe File opened for modification C:\Program Files\Windows Multimedia Platform\3961868c.js Explorer.EXE File opened for modification C:\Program Files (x86)\6A3z5EG6HiZz.sys AxInstUI.exe File opened for modification C:\Program Files\C9IoEGn7NwtOD.hna AxInstUI.exe File opened for modification C:\Program Files\nYe1MWkgvCEDS.sys AxInstUI.exe File opened for modification C:\Program Files (x86)\uuDjcJET9c.phq AxInstUI.exe File opened for modification C:\Program Files\JjGYUA4myFN.sys AxInstUI.exe File opened for modification C:\Program Files (x86)\tsXKIcneOBqDOm.ipg AxInstUI.exe File opened for modification C:\Program Files\Windows Multimedia Platform\47b9e82f.html Explorer.EXE File opened for modification C:\Program Files (x86)\KsV9TcUXBL.sys AxInstUI.exe File opened for modification C:\Program Files\vjUxr5uFOyJ.jcu AxInstUI.exe File opened for modification C:\Program Files\MrmRELn3kw.sys AxInstUI.exe File opened for modification C:\Program Files (x86)\j51uE9eEO4E1.jku AxInstUI.exe File opened for modification C:\Program Files\Windows Media Player\39617d84.js AxInstUI.exe File opened for modification C:\Program Files\Windows Media Player\56123c46.js AxInstUI.exe File opened for modification C:\Program Files\Windows Media Player\lib\646a9ba7.js AxInstUI.exe File opened for modification C:\Program Files (x86)\9d3f4fbc2rpNN.sys AxInstUI.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\AuctI6Y043cP0.ftb AxInstUI.exe File opened for modification C:\Windows\gGzfdMyeGgrWO.sys AxInstUI.exe File created C:\Windows\AxInstUI.exe Explorer.EXE File opened for modification C:\Windows\lgwBEPT4BWD.sys AxInstUI.exe File opened for modification C:\Windows\hiCXRSkKIMS.sys AxInstUI.exe File opened for modification C:\Windows\ckdIL9oDPhGCRG.ohp AxInstUI.exe File opened for modification C:\Windows\zXpVvUbga30fhu.bsw AxInstUI.exe File opened for modification C:\Windows\AxInstUI.exe Explorer.EXE File created C:\Windows\gqkFAIuV7.sys AxInstUI.exe File opened for modification C:\Windows\QROqVEZgVzoYI.wju AxInstUI.exe File opened for modification C:\Windows\HxvepsN062B2lG.sys AxInstUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 AxInstUI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 AxInstUI.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName AxInstUI.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 316 timeout.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AxInstUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AxInstUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AxInstUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix diskraid.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix AxInstUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AxInstUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AxInstUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AxInstUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AxInstUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" diskraid.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" diskraid.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AxInstUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 468 diskraid.exe 468 diskraid.exe 3872 AxInstUI.exe 3872 AxInstUI.exe 3872 AxInstUI.exe 3872 AxInstUI.exe 3872 AxInstUI.exe 3104 Explorer.EXE 3104 Explorer.EXE 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3104 Explorer.EXE 3872 AxInstUI.exe 3104 Explorer.EXE 3104 Explorer.EXE 3872 AxInstUI.exe 3872 AxInstUI.exe 3104 Explorer.EXE 3104 Explorer.EXE 3872 AxInstUI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3104 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe Token: SeTcbPrivilege 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe Token: SeDebugPrivilege 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeIncBasePriorityPrivilege 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe Token: SeShutdownPrivilege 3104 Explorer.EXE Token: SeCreatePagefilePrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeBackupPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3872 AxInstUI.exe Token: SeDebugPrivilege 3104 Explorer.EXE Token: SeBackupPrivilege 3104 Explorer.EXE Token: SeDebugPrivilege 60 dwm.exe Token: SeBackupPrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3104 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3104 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 3104 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 43 PID 3936 wrote to memory of 3104 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 43 PID 3936 wrote to memory of 3104 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 43 PID 3936 wrote to memory of 3104 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 43 PID 3936 wrote to memory of 3104 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 43 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3104 wrote to memory of 3872 3104 Explorer.EXE 91 PID 3936 wrote to memory of 628 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 4 PID 3936 wrote to memory of 628 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 4 PID 3936 wrote to memory of 628 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 4 PID 3936 wrote to memory of 628 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 4 PID 3936 wrote to memory of 628 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 4 PID 3936 wrote to memory of 1968 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 95 PID 3936 wrote to memory of 1968 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 95 PID 3936 wrote to memory of 1968 3936 a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe 95 PID 1968 wrote to memory of 316 1968 cmd.exe 97 PID 1968 wrote to memory of 316 1968 cmd.exe 97 PID 1968 wrote to memory of 316 1968 cmd.exe 97 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 468 3872 AxInstUI.exe 98 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43 PID 3872 wrote to memory of 3104 3872 AxInstUI.exe 43
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\AxInstUI.exe"C:\Windows\AxInstUI.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\diskraid.exe"C:\Windows\system32\diskraid.exe"3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:468
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe"C:\Users\Admin\AppData\Local\Temp\a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\a58814b3eedd304e4dee9c2ce80dfd80895ba6711e1d0478dd276f4e62f77b6f.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD57c4330ca1c347c2df864d94221638649
SHA167777e34d95bbc864ce084b71f3dca87ebabcd5f
SHA25623692fe79cb8e509356399155f22016e067c68b79c94cf149b4b3aadc7934469
SHA512c3249afa037fee1267bcd9a7f63599b7053e59accaa3e0479ae81ae1266971d6d466325c60e6fd6411744e95c9ce1452125476778e7e3f4c7aeb557c324f5d42
-
Filesize
59KB
MD57c4330ca1c347c2df864d94221638649
SHA167777e34d95bbc864ce084b71f3dca87ebabcd5f
SHA25623692fe79cb8e509356399155f22016e067c68b79c94cf149b4b3aadc7934469
SHA512c3249afa037fee1267bcd9a7f63599b7053e59accaa3e0479ae81ae1266971d6d466325c60e6fd6411744e95c9ce1452125476778e7e3f4c7aeb557c324f5d42
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
415KB
MD5bcf915808b2ec03f55c2efbf985debb2
SHA1dc0cbea6fd0bd3555c634911f1579a212098fcda
SHA2563fe68631e71f03e8a59803f1d1b3e7eec9dbc0f114cad4814e558f5eff909f73
SHA512d9f9e322dfa81a32c6cc68b06242c8546918dd277644f3ffada8084d6826c0fa066572bb1d6d8741f0955db44fea1414f8da76cfa872b21a5f7450ce7c8be114
-
Filesize
447KB
MD50233974d4e12b88be83dd82fcd8a1c12
SHA16b5a0696fa5a7a5e4ea671f069cfd42440d88e61
SHA256e558ccdf6434ee5aff730555c6c0cef2dd6497c859b0cde981ffd6875a14d02d
SHA5121edff9f30ead90c3f9cc264cc3fc56e2765f9bc0d58a7cbdb2132e68a363c4d6c16077b2cb2e9909845fb7954d5b6978f652037b6108b253ad7643067cc86a2c
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9