Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 20:35
Behavioral task
behavioral1
Sample
3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe
Resource
win7-20231025-en
General
-
Target
3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe
-
Size
545KB
-
MD5
53d5101bf73ad81743a6b8e94deee77f
-
SHA1
0e997ff5b72fec6ba747aac8405e6d85ad625050
-
SHA256
3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c
-
SHA512
9b819d023c928ccb6802f38bb46c1734fd4f7f2188f962cc38bfa3f1641655c1121d7a51edfd9e9724079b5c848e40929d67fb819bf2a8978b37614ec4305b10
-
SSDEEP
6144:vhjxrU2+7kO+4LT9FD/QOuVkJpFYcEOkCybEaQRXr9HNdvOaAC6:vvr+M4H9FrGVkwOkx2LIat6
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\System32\drivers\wDOjKt.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\tX4JE35tc0p.eyx Explorer.EXE File opened for modification C:\Windows\system32\drivers\qdwVBcqFZntMQx.fss Explorer.EXE File opened for modification C:\Windows\system32\drivers\Kxms7VrjRJM3r.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\3fkiDdA971B1B.kgv Explorer.EXE File opened for modification C:\Windows\system32\drivers\QKSE4pPPyj4r.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\OZKwcyxNVbO5Si.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\Vv9CGOcxtz.hse Explorer.EXE File opened for modification C:\Windows\system32\drivers\zVyEP90AMN8.sys Explorer.EXE -
Deletes itself 1 IoCs
pid Process 3012 cmd.exe -
resource yara_rule behavioral1/memory/2228-0-0x0000000000F20000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/2228-488-0x0000000000F20000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/2228-707-0x0000000000F20000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/1232-730-0x0000000000870000-0x0000000000898000-memory.dmp upx -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
resource yara_rule behavioral1/files/0x0008000000004ed7-740.dat vmprotect behavioral1/files/0x0016000000004ed7-768.dat vmprotect behavioral1/files/0x0024000000004ed7-796.dat vmprotect behavioral1/files/0x0032000000004ed7-824.dat vmprotect -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\system32\ \Windows\System32\O2zQWLolu.sys Explorer.EXE File opened for modification C:\Windows\system32\m5fvczD7k0.ecm Explorer.EXE File opened for modification C:\Windows\system32\16aV9eAKorm.sys Explorer.EXE File opened for modification C:\Windows\system32\FwxrhGGC4EN.wne Explorer.EXE File opened for modification C:\Windows\system32\WmDOvJuMedt69.sys Explorer.EXE File opened for modification C:\Windows\system32\DKFDGvpF9jX.sys Explorer.EXE File opened for modification C:\Windows\system32\cbNZJ3Km7kR.uqh Explorer.EXE File opened for modification C:\Windows\system32\ki5hi7pp0x.sys Explorer.EXE File opened for modification C:\Windows\system32\0neucIe3gB68Oj.ryn Explorer.EXE -
Drops file in Program Files directory 26 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\TGRpjZnizhV.sys Explorer.EXE File opened for modification C:\Program Files\Windows NT\manifest.json Dwm.exe File opened for modification C:\Program Files (x86)\LheHCCCdtcC.sre Explorer.EXE File opened for modification C:\Program Files\Windows Media Player\4d538cc8.html Explorer.EXE File opened for modification C:\Program Files\Windows NT\4d5397c2.html Dwm.exe File opened for modification C:\Program Files\Windows Media Player\3ddc70a0.js Explorer.EXE File opened for modification C:\Program Files\Windows NT\lib\6c41d476.js Dwm.exe File opened for modification C:\Program Files\dakMsuNOTI.sys Explorer.EXE File opened for modification C:\Program Files (x86)\yDzBCT81uq.sys Explorer.EXE File opened for modification C:\Program Files\rihVo3IguMa70u.sys Explorer.EXE File opened for modification C:\Program Files (x86)\V9GaxaPgJc.xdu Explorer.EXE File opened for modification C:\Program Files (x86)\AwOUhF8L7q80W5.hns Explorer.EXE File opened for modification C:\Program Files\Windows NT\5ccab61c.js Dwm.exe File opened for modification C:\Program Files\np22ThftlWjb6.apu Explorer.EXE File opened for modification C:\Program Files (x86)\iqdBb2D8eB01.sys Explorer.EXE File opened for modification C:\Program Files\thG2TeGzQwH3C.sys Explorer.EXE File opened for modification C:\Program Files\OWV3UcV9R1.xrr Explorer.EXE File opened for modification C:\Program Files\GMcGaVrb19QLVo.hle Explorer.EXE File opened for modification C:\Program Files\9EHNad0dPyUe.qux Explorer.EXE File opened for modification C:\Program Files\Windows NT\3ddc7968.js Dwm.exe File opened for modification C:\Program Files\Windows Media Player\manifest.json Explorer.EXE File opened for modification C:\Program Files\Windows Media Player\5ccaa8f0.js Explorer.EXE File opened for modification C:\Program Files\vsPyx6sWs8VdMO.sys Explorer.EXE File opened for modification C:\Program Files (x86)\lNcq4qeL0wD.qdn Explorer.EXE File opened for modification C:\Program Files (x86)\R3jcWeQyfPQ.sys Explorer.EXE File opened for modification C:\Program Files\Windows Media Player\lib\6c41c518.js Explorer.EXE -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\err_2228.log 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe File created C:\Windows\4vV0yNCZt.sys Explorer.EXE File opened for modification C:\Windows\RvbVdxhdgIU.sys Explorer.EXE File opened for modification C:\Windows\MPRSrSX5Ptmd5C.tgg Explorer.EXE File opened for modification C:\Windows\1tpK7hZEkNer.sys Explorer.EXE File opened for modification C:\Windows\Boyzi3Q16TeMfu.vdt Explorer.EXE File opened for modification C:\Windows\xIbu9FjoZRz7.sys Explorer.EXE File opened for modification C:\Windows\70lEBHtTgh.sys Explorer.EXE File opened for modification C:\Windows\WG8KEYZ5XR6CZn.uen Explorer.EXE File opened for modification C:\Windows\8l2cXIzu2w.dxx Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2672 timeout.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1232 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Token: SeTcbPrivilege 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Token: SeDebugPrivilege 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Token: SeDebugPrivilege 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeIncBasePriorityPrivilege 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeBackupPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1152 Dwm.exe Token: SeBackupPrivilege 1152 Dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1232 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 11 PID 2228 wrote to memory of 1232 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 11 PID 2228 wrote to memory of 1232 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 11 PID 2228 wrote to memory of 1232 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 11 PID 2228 wrote to memory of 1232 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 11 PID 2228 wrote to memory of 424 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 3 PID 2228 wrote to memory of 424 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 3 PID 2228 wrote to memory of 424 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 3 PID 2228 wrote to memory of 424 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 3 PID 2228 wrote to memory of 424 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 3 PID 2228 wrote to memory of 3012 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 30 PID 2228 wrote to memory of 3012 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 30 PID 2228 wrote to memory of 3012 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 30 PID 2228 wrote to memory of 3012 2228 3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe 30 PID 3012 wrote to memory of 2672 3012 cmd.exe 32 PID 3012 wrote to memory of 2672 3012 cmd.exe 32 PID 3012 wrote to memory of 2672 3012 cmd.exe 32 PID 3012 wrote to memory of 2672 3012 cmd.exe 32 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12 PID 1232 wrote to memory of 1152 1232 Explorer.EXE 12
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"2⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\3d567d93342f92d66717c8b1dbce6412e27ebd1da7c2b014b611e258ece8b37c.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:2672
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize2KB
MD59ba47a279b7950e198b6076171704bd8
SHA12d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA2561d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5b3e886f0a26b67c1234b30c755341758
SHA18a881fb559672e95834def740fc5ba017879b0db
SHA256808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA51266f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524
-
Filesize
599B
MD53fefedd2d651734aab0aff2f8161db56
SHA1eda0d013d0db080e6477965234bf4db2aceb215e
SHA2564a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA5120ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize484B
MD5af4aa3e6fa5a8265a52988e582ddd77e
SHA1c45b868f3e3558a1520d0e256da8aa3e2bd76dfb
SHA2565dd2a58e84528fd54c5514ce1f21492cd4cfcac3d1d5dedc4ea53028562c5e20
SHA51228141f0a7fc810f3a2df667aff275920837745a03d93478763a364f2c8195c813bd5f517c6a14602b0d52640692b664aa34abf0f57c9fcffde618132d7d16656
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56581f07197fd48abed1b88afc3e1ca0a
SHA1604d96025bf04c5302812e974bf58c98ffdb84fc
SHA256584c154bf4bfdab27ba7d0ad747d876f2a96e9ce2b74143ea68c6f80639464b8
SHA51256968fcc894e1d7ff6248f2dedcd2850faa7c656dc64e15d0312fd63ef2c37f13558fa46dd62310195fad837d2706c7a7241f8128396669fa095056187867bc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59c65ee516ed57d976665f4ba6e7da04d
SHA1076dfc099b7ac70f80c43cb2d4ba37acb29f35b9
SHA256542e6148e4732fe84a9060fa8d834d73975d709a93ff84172630359367064371
SHA512bc1a1ee04e899bdb9d4ede3550a75cffd9c98391ddfcd28b8c0890958d9d60054ac0de818f0039663d1fd1b3137b26e82f79aed333c1d283d0a07828d18b12b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD594a27ce0e6449be9e955fafd976ee746
SHA1ac9ca68b1b088d508408966c0e51146d121604ea
SHA2568e4f059c414fe68ca4521f705a1576adf0b9193ab52b05e0bee6f7a2eee64f8a
SHA512c3799b80bb7a4a6d40d79740f59050654925a5abe8e780c75e83cfdd3d97bc11bdde0e5495cdd276f0e33112f6e2107d82d057afdb9186cefe139f12b85c8e0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
Filesize504B
MD5efae7df0182bae8d2f6f9ef7f2cad5d6
SHA1d16e5be1f81741a192e686072013eabbee03bcfb
SHA2566bee2767225a97cb4ece1a98374fbfdc807a543f28c8af642f407616d8bf97fd
SHA512b21ff66a45d26eefd11cbe0cea46466d7c3be1886e62de2733481b725cffa6fa62e3f8d453e6da46942c3be83551b89778327f697baa08492fde142b78d99443
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
415KB
MD5a5739c49ec1255fe87cc5712a66cb7b5
SHA1ee12e93e77773efaf14ecc114253bfd2fa6cd0eb
SHA256f4943dc2cdf234ac42fa553c425f2325b03775af4e482de6c58bc0895fc43752
SHA5122ecb9046fae8bc01d266b162707b8dc145bab64921cb4f492d9e1eb5692bb5dcced1ad9793c20598d27011f300f9ff59c9610b6d13077f8a8cec6c8617b31eba
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
447KB
MD55e842a9d9ebc88025471b3bff3e233b9
SHA1d44ede07cb1fbf4387d5d6ddd700ff87093bcec6
SHA256f65695ad21125414c001abc88873f7aa828d3d603c82b38d70bac393ba429600
SHA512204e5cfdeddf5ec9b73b1910a6bc5918b3c4d5341639e41a96fd979c6d48470564706d10bf92175b148a2cb192f53f6f015cae7e8d42a8070a419df0c7bee8f6