Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 23:23
Behavioral task
behavioral1
Sample
4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe
Resource
win7-20231130-en
General
-
Target
4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe
-
Size
223KB
-
MD5
4cdae24b3e1563366f3bdb53f7f94af2
-
SHA1
34c37775f537a1a871a532883f3d9a32ce153cd3
-
SHA256
4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c
-
SHA512
f5652a55abcfd37fd4cdf4a17dd0580ef1a2a5015ba177ac64bf067a916d13a9f7b3f6d2b9c2097e1609be6f835ca7844ef0fd9e7a799e56c7fc247549e0f30d
-
SSDEEP
3072:2Z7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:CwPSUONLNsuWA7koN+boRi9S6oiz72D
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3380 created 620 3380 Explorer.EXE 5 -
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\pxs0YzD1Vj2ML.sys sdchange.exe File opened for modification C:\Windows\system32\drivers\3gOPRn0Xw8hS1.bcz sdchange.exe File opened for modification C:\Windows\system32\drivers\A0Gdl2lErgx.sys sdchange.exe File opened for modification C:\Windows\system32\drivers\yVOnk0jR5IF.jyw sdchange.exe File created C:\Windows\System32\drivers\VOh6a6.sys sdchange.exe File opened for modification C:\Windows\system32\drivers\Rc36LdYvcnmkX.sys sdchange.exe File opened for modification C:\Windows\system32\drivers\ziIgmRGTDrCieo.jze sdchange.exe File opened for modification C:\Windows\system32\drivers\9xlhSZVZnAP.nab sdchange.exe File opened for modification C:\Windows\system32\drivers\3xH2PSnzWIE.sys sdchange.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe -
Executes dropped EXE 1 IoCs
pid Process 2500 sdchange.exe -
resource yara_rule behavioral2/memory/376-0-0x00000000005E0000-0x000000000064E000-memory.dmp upx behavioral2/memory/376-42-0x00000000005E0000-0x000000000064E000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x001500000002321c-87.dat vmprotect behavioral2/files/0x001a00000002321c-144.dat vmprotect behavioral2/files/0x002100000002321c-202.dat vmprotect behavioral2/files/0x002500000002321c-259.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\W5zCsgqlngcK.sys sdchange.exe File opened for modification C:\Windows\system32\xmdkViJFTUB6Kl.zbl sdchange.exe File opened for modification C:\Windows\system32\1bQ5HKfXg8.qfd sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B sdchange.exe File opened for modification C:\Windows\system32\hdZau05NFvK.syz sdchange.exe File opened for modification C:\Windows\system32\3iYtN0J4tjc.sys sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 sdchange.exe File opened for modification C:\Windows\system32\JswYo166c0dWw.dqm sdchange.exe File created C:\Windows\system32\ \Windows\System32\FtD7s4.sys sdchange.exe File opened for modification C:\Windows\system32\xdqQwbhOqk.sys sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 sdchange.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 sdchange.exe File opened for modification C:\Windows\system32\aqPnu4oZpmC.sys sdchange.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files\685kCuRzPh8dR.ihu sdchange.exe File opened for modification C:\Program Files (x86)\i9KKAKDYVK.sys sdchange.exe File opened for modification C:\Program Files\Windows Multimedia Platform\47b78981.html sdchange.exe File opened for modification C:\Program Files (x86)\JX3WueR66f.sys sdchange.exe File opened for modification C:\Program Files\sIL7v5u8Crs.tqx sdchange.exe File opened for modification C:\Program Files\Microsoft Office\manifest.json Explorer.EXE File opened for modification C:\Program Files (x86)\xRCM7N0n1vi.sys sdchange.exe File opened for modification C:\Program Files\Windows Multimedia Platform\manifest.json sdchange.exe File opened for modification C:\Program Files\Windows Multimedia Platform\395fa134.js sdchange.exe File opened for modification C:\Program Files\Microsoft Office\395fa3a4.js Explorer.EXE File opened for modification C:\Program Files\Microsoft Office\560f7576.js Explorer.EXE File opened for modification C:\Program Files (x86)\YuyeuBiLjb7X.eps sdchange.exe File opened for modification C:\Program Files\Windows Multimedia Platform\560f71ce.js sdchange.exe File opened for modification C:\Program Files\Microsoft Office\lib\64675e5f.js Explorer.EXE File opened for modification C:\Program Files (x86)\SMQZreD2wVIoK.tgo sdchange.exe File opened for modification C:\Program Files\kfSSTKGLjp.sys sdchange.exe File opened for modification C:\Program Files\7hMGnLoD4Mw.sys sdchange.exe File opened for modification C:\Program Files\StyuPRR61n0Xs.vvj sdchange.exe File opened for modification C:\Program Files (x86)\J6tsc9pTOiXh.oby sdchange.exe File opened for modification C:\Program Files (x86)\0lYeGcaZJ8pa.sys sdchange.exe File opened for modification C:\Program Files\Microsoft Office\47b78c8d.html Explorer.EXE File opened for modification C:\Program Files\ZxhT9wbbJLT80.sys sdchange.exe File opened for modification C:\Program Files\lpGtw5q0YDU.sys sdchange.exe File opened for modification C:\Program Files\LcG2R4JOhhh.fxo sdchange.exe File opened for modification C:\Program Files (x86)\d9rx68l1YKRvD.ttc sdchange.exe File opened for modification C:\Program Files\Windows Multimedia Platform\lib\64675a1b.js sdchange.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\wJzoTrND6pr7v8.smz sdchange.exe File opened for modification C:\Windows\n3SZnMg44H4k.sys sdchange.exe File created C:\Windows\XzUiDfJ.sys sdchange.exe File opened for modification C:\Windows\Mm4xg8LU9AUi0.zej sdchange.exe File opened for modification C:\Windows\XnEokxfDcXH.sys sdchange.exe File opened for modification C:\Windows\WRUdpILD7Vj.jbq sdchange.exe File opened for modification C:\Windows\7fdprvKyY3o.sys sdchange.exe File opened for modification C:\Windows\5ZwCWpkziuT.bda sdchange.exe File created C:\Windows\sdchange.exe Explorer.EXE File opened for modification C:\Windows\sdchange.exe Explorer.EXE File opened for modification C:\Windows\zvBJe5E3An6.sys sdchange.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 sdchange.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 sdchange.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName sdchange.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4708 timeout.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wbadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sdchange.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sdchange.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" sdchange.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" sdchange.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" sdchange.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing sdchange.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sdchange.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ sdchange.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" sdchange.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wbadmin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wbadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 3380 Explorer.EXE 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 2500 sdchange.exe 2500 sdchange.exe 3580 wbadmin.exe 3580 wbadmin.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe 2500 sdchange.exe -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe Token: SeTcbPrivilege 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe Token: SeDebugPrivilege 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe Token: SeDebugPrivilege 3380 Explorer.EXE Token: SeDebugPrivilege 3380 Explorer.EXE Token: SeDebugPrivilege 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe Token: SeIncBasePriorityPrivilege 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeShutdownPrivilege 3380 Explorer.EXE Token: SeCreatePagefilePrivilege 3380 Explorer.EXE Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeBackupPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 2500 sdchange.exe Token: SeDebugPrivilege 3380 Explorer.EXE Token: SeBackupPrivilege 3380 Explorer.EXE Token: SeDebugPrivilege 60 dwm.exe Token: SeBackupPrivilege 60 dwm.exe Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3380 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 376 wrote to memory of 3380 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 35 PID 376 wrote to memory of 3380 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 35 PID 376 wrote to memory of 3380 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 35 PID 376 wrote to memory of 3380 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 35 PID 376 wrote to memory of 3380 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 35 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 3380 wrote to memory of 2500 3380 Explorer.EXE 95 PID 376 wrote to memory of 620 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 5 PID 376 wrote to memory of 620 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 5 PID 376 wrote to memory of 620 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 5 PID 376 wrote to memory of 620 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 5 PID 376 wrote to memory of 620 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 5 PID 376 wrote to memory of 2184 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 102 PID 376 wrote to memory of 2184 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 102 PID 376 wrote to memory of 2184 376 4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe 102 PID 2184 wrote to memory of 4708 2184 cmd.exe 104 PID 2184 wrote to memory of 4708 2184 cmd.exe 104 PID 2184 wrote to memory of 4708 2184 cmd.exe 104 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3580 2500 sdchange.exe 107 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35 PID 2500 wrote to memory of 3380 2500 sdchange.exe 35
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\sdchange.exe"C:\Windows\sdchange.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\wbadmin.exe"C:\Windows\system32\wbadmin.exe"3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3580
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe"C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\4d8dc797e6ef160e1e41ca980981d27ca1823d78fd6345f7c29c02e5493fb47c.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415KB
MD5b35f50c1fdabf0633e08120d60f58310
SHA1e75428f11aa36e3cb3dd8ded2c1d4a96cce003a5
SHA2562fcab54eda2766741f452476f55052f58598f9a8aa5156e45232c9c0111fa233
SHA51217e3963353aac24f61f6b8bb13b5edb269a000c4e55311466678d99e274a29fb95c361a7f4691cd7e99d38d5660ea29ef59c7d34da1606390e9dc3e9ecc5098f
-
Filesize
447KB
MD5db5d4252dbfe3c6a8ed839012a0501fa
SHA1b502e4690bf2c88f991c543b7050839c6db8fe8d
SHA2568ce672b0220d07da7cd3997164b53b63a48a8b977956849ee15bd4f597a618df
SHA512b8169e775c280244defc7e052a036262f1436380bf423a6d8fec14f63971e0fc422ea846e0e2b5d4a4631d011f82b76db59d56f9802152b7931006c9cd2c9005
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
50KB
MD526ff03d565d4d68bf80602a8d21f46ee
SHA18b2e151fe31eb875aedffb6dda5d1cf761ba3631
SHA2564113eea6d5998515b9a460c4de0be96bb00de07a36f87cd7215d29932ed02ed7
SHA512083dbf9996fa36418cf6dcafb4915b25595c7cfc831e46241f10a78dee8555c5a2c8709747ebc8be95d9d10a7816a827011547975617d9cc06e84fd55c9398bf
-
Filesize
50KB
MD526ff03d565d4d68bf80602a8d21f46ee
SHA18b2e151fe31eb875aedffb6dda5d1cf761ba3631
SHA2564113eea6d5998515b9a460c4de0be96bb00de07a36f87cd7215d29932ed02ed7
SHA512083dbf9996fa36418cf6dcafb4915b25595c7cfc831e46241f10a78dee8555c5a2c8709747ebc8be95d9d10a7816a827011547975617d9cc06e84fd55c9398bf
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9