Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 20:38
Behavioral task
behavioral1
Sample
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe
Resource
win7-20231023-en
General
-
Target
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe
-
Size
545KB
-
MD5
4650fd56e68b1c5c263336068c266a71
-
SHA1
0a8517213b495344d06768df242a28d9d99cde05
-
SHA256
60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d
-
SHA512
f605c74d1751d41460e6f6b84a2a7397c2e9fdd9485350a894abde04ec614e6035a6c2e47d29d9a393bb0b3e64155156a9ca8534e263559e7efbc1ed68ac6e70
-
SSDEEP
6144:yhjxrU2+7kO+4LT9FD/QOuVkJpFYcEOkCybEaQRXr9HNdvOaAC6:yvr+M4H9FrGVkwOkx2LIat6
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\jTGjvkpR7NIJ.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\EinIcd39NGKP.fei Explorer.EXE File opened for modification C:\Windows\system32\drivers\G7SvHxKeRkwrGx.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\pnwsYs3Mjw.xyl Explorer.EXE File opened for modification C:\Windows\system32\drivers\66W049y86AyFT.qyc Explorer.EXE File opened for modification C:\Windows\system32\drivers\JxEJ1MFGeW7jY.sys Explorer.EXE File created C:\Windows\System32\drivers\Y3h6VbmiB.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\ZS6HckOls7du.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\QlkIxz9aU0aXcP.nts Explorer.EXE -
Deletes itself 1 IoCs
pid Process 2344 cmd.exe -
resource yara_rule behavioral1/memory/2852-0-0x0000000000350000-0x00000000003DF000-memory.dmp upx behavioral1/memory/2852-71-0x0000000000350000-0x00000000003DF000-memory.dmp upx behavioral1/memory/2852-705-0x0000000000350000-0x00000000003DF000-memory.dmp upx behavioral1/memory/1232-834-0x00000000008F0000-0x0000000000918000-memory.dmp upx -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 -
resource yara_rule behavioral1/files/0x000d000000014abe-723.dat vmprotect behavioral1/files/0x001b000000014abe-751.dat vmprotect behavioral1/files/0x0029000000014abe-779.dat vmprotect behavioral1/files/0x0037000000014abe-807.dat vmprotect -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\ZiHXM8q1OtUSy.sys Explorer.EXE File opened for modification C:\Windows\system32\rqK1rXw7GGmz.fld Explorer.EXE File created C:\Windows\system32\ \Windows\System32\YBbNWIKG.sys Explorer.EXE File opened for modification C:\Windows\system32\gYuxViXFgTHS6.sys Explorer.EXE File opened for modification C:\Windows\system32\tFl1NX1TuDO37.abj Explorer.EXE File opened for modification C:\Windows\system32\Q0vifwawxPbPR.sys Explorer.EXE File opened for modification C:\Windows\system32\cqRh35R3dMuKfJ.bjp Explorer.EXE File opened for modification C:\Windows\system32\I6v1gGCO9w.sys Explorer.EXE File opened for modification C:\Windows\system32\IxvqxYlHHBg7.tke Explorer.EXE -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MwY6xopJPSIcXD.sys Explorer.EXE File opened for modification C:\Program Files\Java\4d566cea.html Dwm.exe File opened for modification C:\Program Files\Mozilla Firefox\3ddeb4c0.js Explorer.EXE File opened for modification C:\Program Files\Windows Mail\3ddf0474.js Explorer.EXE File opened for modification C:\Program Files\oTKDWWYx9guHwx.efm Explorer.EXE File opened for modification C:\Program Files (x86)\PFIIz81WiX.sys Explorer.EXE File opened for modification C:\Program Files\CF3csv6XzGpc.sys Explorer.EXE File opened for modification C:\Program Files\RAHGP2XFHzVf5.pnr Explorer.EXE File opened for modification C:\Program Files\L0XyunRRKWkIp2.vwm Explorer.EXE File opened for modification C:\Program Files\Java\manifest.json Dwm.exe File opened for modification C:\Program Files\VJNZYBQskirdQS.sys Explorer.EXE File opened for modification C:\Program Files\27cmkjzRc1.sys Explorer.EXE File opened for modification C:\Program Files\Java\5cce1c4c.js Dwm.exe File opened for modification C:\Program Files\Windows Mail\lib\6c4647cb.js Explorer.EXE File opened for modification C:\Program Files\Mozilla Firefox\manifest.json Explorer.EXE File opened for modification C:\Program Files\Mozilla Firefox\5cce0f20.js Explorer.EXE File opened for modification C:\Program Files\Java\lib\6c45cbae.js Dwm.exe File opened for modification C:\Program Files\Windows Mail\manifest.json Explorer.EXE File opened for modification C:\Program Files\Windows Mail\5cce86ae.js Explorer.EXE File opened for modification C:\Program Files\Windows Mail\4d56c591.html Explorer.EXE File opened for modification C:\Program Files (x86)\SSeQZcbOLn8UB7.met Explorer.EXE File opened for modification C:\Program Files\DYYTgeQpI4C.sys Explorer.EXE File opened for modification C:\Program Files\UmauX1y0NCIRuv.yzu Explorer.EXE File opened for modification C:\Program Files (x86)\ZxM3EehP4Ek.tjl Explorer.EXE File opened for modification C:\Program Files (x86)\SNOxgAolMpvM5.sys Explorer.EXE File opened for modification C:\Program Files\Mozilla Firefox\4d5661f0.html Explorer.EXE File opened for modification C:\Program Files (x86)\rNK9q5ch2v.jla Explorer.EXE File opened for modification C:\Program Files (x86)\DBPNIYaRdXJ.sys Explorer.EXE File opened for modification C:\Program Files (x86)\403jEmMuSPqsOE.dcm Explorer.EXE File opened for modification C:\Program Files\Mozilla Firefox\lib\6c45bc50.js Explorer.EXE File opened for modification C:\Program Files\Java\3ddebd88.js Dwm.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\P48itg9tAlE3G.kkh Explorer.EXE File opened for modification C:\Windows\CYZQBdeHFWjt8D.sys Explorer.EXE File opened for modification C:\Windows\pQ53Ks5LKS.trb Explorer.EXE File opened for modification C:\Windows\wAArsC3ifQTL.sys Explorer.EXE File opened for modification C:\Windows\fXoAzxgmuSOV.ilv Explorer.EXE File opened for modification C:\Windows\err_2852.log 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe File created C:\Windows\J6bkpt.sys Explorer.EXE File opened for modification C:\Windows\jhPE7GwG61.fdd Explorer.EXE File opened for modification C:\Windows\RO5Akibtm0T4H.sys Explorer.EXE File opened for modification C:\Windows\Ai0Itwvn5j6TU.sys Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1564 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1160 Dwm.exe 1232 Explorer.EXE 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1160 Dwm.exe 1232 Explorer.EXE 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1232 Explorer.EXE 1160 Dwm.exe 1160 Dwm.exe 1232 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeTcbPrivilege 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeIncBasePriorityPrivilege 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeBackupPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1160 Dwm.exe Token: SeBackupPrivilege 1160 Dwm.exe Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeDebugPrivilege 1232 Explorer.EXE Token: SeBackupPrivilege 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2852 wrote to memory of 1232 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 17 PID 2852 wrote to memory of 1232 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 17 PID 2852 wrote to memory of 1232 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 17 PID 2852 wrote to memory of 1232 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 17 PID 2852 wrote to memory of 1232 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 17 PID 2852 wrote to memory of 420 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1 PID 2852 wrote to memory of 420 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1 PID 2852 wrote to memory of 420 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1 PID 2852 wrote to memory of 420 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1 PID 2852 wrote to memory of 420 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 1 PID 2852 wrote to memory of 2344 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 32 PID 2852 wrote to memory of 2344 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 32 PID 2852 wrote to memory of 2344 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 32 PID 2852 wrote to memory of 2344 2852 60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe 32 PID 2344 wrote to memory of 1564 2344 cmd.exe 34 PID 2344 wrote to memory of 1564 2344 cmd.exe 34 PID 2344 wrote to memory of 1564 2344 cmd.exe 34 PID 2344 wrote to memory of 1564 2344 cmd.exe 34 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15 PID 1232 wrote to memory of 1160 1232 Explorer.EXE 15
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"2⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\60fc4d533a0a52f0879a251180db730a996188f07618ea966d3607ea912de06d.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize2KB
MD59ba47a279b7950e198b6076171704bd8
SHA12d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA2561d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5b3e886f0a26b67c1234b30c755341758
SHA18a881fb559672e95834def740fc5ba017879b0db
SHA256808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA51266f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524
-
Filesize
599B
MD53fefedd2d651734aab0aff2f8161db56
SHA1eda0d013d0db080e6477965234bf4db2aceb215e
SHA2564a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA5120ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize484B
MD5ad6eee3bc40a4d01931d53dd3050f1ed
SHA131618360c73df64b19ed2ad0d6e12488fcb3a460
SHA256f9397156fa4e1e02ef0724e2ef970600f62f69ce7a390bfaa38c773f43a26d5c
SHA5120e25c56861bda0618cffe9329f031a54966d5759fd05df95af1ef44d33ee2d1bb63785ed664fe7f016abe2e30c8aae8a776dffdae308432785ba2481c7bf3b19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dbccdcc9c1eb9d0cb0ffd527684f0b7a
SHA1613bbcd163182a614845bfe3fcef6a1bc643c862
SHA256bb15336f806aebd87db85734d81a85684d35a01cfbb704206099dcca2fde2da7
SHA512bedc030bad4b1e2a006457b82826b9b8c38cdf1653f6f127cd102792361bc7c90de93ef4aa2866527cff84471ce71dff396a8ae91be076e076d51eccf6dd4f68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1d75c7d7c0610e4757d8584fb705780
SHA1595fff22bba4ec4daaf9ac2e48ea5c71a5a709d3
SHA256e83c5d5be485c93b6991359d722745f24d8466b3da197835c964ff6a1610966b
SHA512d3b7ccb7b88f7498b94961f79e401135bc9e60453f15be517794f834243d9e08ce61fd1ab6c8fc8dd659735aa3a17a983244a7db1d488107605cb279c895bbf4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5e722777424420d7db5a2e0b0dd481921
SHA10ae284a19cbf46182c84b0408ab71f423a73c991
SHA2565bc303c1b965aca9f59b5e8cd988ccc7ae36fc02cc93bc6eb7b2a0d213d05e9c
SHA5120d312f65663ef52caf83b9b80725bbd609e183bac7d177457bc7b3df49d9f71a5f2a849d8ce98f7f6b2c17aa70c570ec4eadb19951b3cca0fb01c71b60cd926a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
Filesize504B
MD5d3a51fc08a8ebd6e79978edac007d197
SHA13a61b400ab126ac21c24a96a3f21207ccf46aa6e
SHA256315cbb16bba3dfc1a3264746fd366132af75c33aa376c63d480a1cc4895661a9
SHA512263d57f4e80332af94bf1aab478fac6a9692f1849b9549050f9ff3f2d0887f63dc4d72b8604dc0654e875ea0460d49c8a5038be5d033d1bf82a0a926e6f4fd7f
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
447KB
MD5f696aab1d8af39b5bda5edc6b7cc12d6
SHA16cc11c321728608e7c3b202a9d53c39f33d6e8d7
SHA2560520e04d912fe979e0382e7285dd919bc0e3e0606a3c398c64e0b799f1613321
SHA5129ba2564216e025eba689b46e88ce1322fb6cccac2eba68a9a630ee0b8002c05921a953d67cc1709efb4d9c85361b5a80a56d79fda065b709e67812e704b9f706
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
415KB
MD56a091df465562a3766d0fe5635bc3937
SHA1ea517d7963ea9208de48ed90187c044a6f2869d3
SHA256bd53820f8615692b08b22cb40644f57336abee92a25b3f075bae19fb3879e4f5
SHA512f2d2a890d559c2562a22074dfed7f25fc11e96df8de7238609aea87d50ed1f352852cde38b14954c104e0f0d7746980c7b01f0479e1fad67b1ceccfc732968c7