3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12ce865f30cf09fb1695d51e65f4a3b4.exe
Size

460KB
MD5

12ce865f30cf09fb1695d51e65f4a3b4
SHA1

582b66806b08e0b02bf4fc4dd4dfdca200c7cc20
SHA256

3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6
SHA512

5d7a64cb3a0f6cec3603f84d9ce645a3de9eb80bc4de2a8974fcabc8593ba03fa370fd47f15af097e35061eb33ee214b10ca3fa69412080f71392066983a32ca
SSDEEP

12288:WlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:WlSt69HNx6T/5xT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xiuro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	iBdqphzke5.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	12ce865f30cf09fb1695d51e65f4a3b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	iBdqphzke5.exe

Executes dropped EXE 6 IoCs

pid	Process
2636	iBdqphzke5.exe
4796	astat.exe
1328	astat.exe
4572	xiuro.exe
4984	dstat.exe
4308	fstat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1328-42-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1328-45-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1328-48-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1328-46-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /G"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /g"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /y"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /I"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /B"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /o"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /J"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /b"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /K"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /h"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /i"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /p"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /W"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /n"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /X"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /T"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /k"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /s"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /d"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /l"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /U"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /z"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /j"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /N"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /D"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /C"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /V"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /M"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /S"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /F"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /q"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /q"	iBdqphzke5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /r"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /u"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /A"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /Q"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /P"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /c"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /x"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /O"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /L"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /E"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /Z"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /v"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /t"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /f"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /H"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /m"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /R"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /e"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /a"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /Y"	xiuro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuro = "C:\\Users\\Admin\\xiuro.exe /w"	xiuro.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 1328	4796	astat.exe	95
PID 4308 set thread context of 3752	4308	fstat.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4256	tasklist.exe
4772	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	iBdqphzke5.exe
2636	iBdqphzke5.exe
1328	astat.exe
1328	astat.exe
2636	iBdqphzke5.exe
2636	iBdqphzke5.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
1328	astat.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe
4572	xiuro.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	tasklist.exe
Token: SeDebugPrivilege	4308	fstat.exe
Token: SeDebugPrivilege	4772	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3260	12ce865f30cf09fb1695d51e65f4a3b4.exe
2636	iBdqphzke5.exe
4796	astat.exe
4572	xiuro.exe
4984	dstat.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2636	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	92
PID 3260 wrote to memory of 2636	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	92
PID 3260 wrote to memory of 2636	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	92
PID 3260 wrote to memory of 4796	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 3260 wrote to memory of 4796	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 3260 wrote to memory of 4796	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 4796 wrote to memory of 1328	4796	astat.exe	95
PID 2636 wrote to memory of 4572	2636	iBdqphzke5.exe	96
PID 2636 wrote to memory of 4572	2636	iBdqphzke5.exe	96
PID 2636 wrote to memory of 4572	2636	iBdqphzke5.exe	96
PID 2636 wrote to memory of 4776	2636	iBdqphzke5.exe	97
PID 2636 wrote to memory of 4776	2636	iBdqphzke5.exe	97
PID 2636 wrote to memory of 4776	2636	iBdqphzke5.exe	97
PID 3260 wrote to memory of 4984	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	99
PID 3260 wrote to memory of 4984	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	99
PID 3260 wrote to memory of 4984	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	99
PID 4776 wrote to memory of 4256	4776	cmd.exe	100
PID 4776 wrote to memory of 4256	4776	cmd.exe	100
PID 4776 wrote to memory of 4256	4776	cmd.exe	100
PID 3260 wrote to memory of 4308	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	115
PID 3260 wrote to memory of 4308	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	115
PID 3260 wrote to memory of 4308	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	115
PID 4308 wrote to memory of 3752	4308	fstat.exe	118
PID 4308 wrote to memory of 3752	4308	fstat.exe	118
PID 4308 wrote to memory of 3752	4308	fstat.exe	118
PID 4308 wrote to memory of 3752	4308	fstat.exe	118
PID 4572 wrote to memory of 3752	4572	xiuro.exe	118
PID 4572 wrote to memory of 3752	4572	xiuro.exe	118
PID 4572 wrote to memory of 3752	4572	xiuro.exe	118
PID 4572 wrote to memory of 3752	4572	xiuro.exe	118
PID 3260 wrote to memory of 1720	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	120
PID 3260 wrote to memory of 1720	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	120
PID 3260 wrote to memory of 1720	3260	12ce865f30cf09fb1695d51e65f4a3b4.exe	120
PID 1720 wrote to memory of 4772	1720	cmd.exe	121
PID 1720 wrote to memory of 4772	1720	cmd.exe	121
PID 1720 wrote to memory of 4772	1720	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe
"C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\iBdqphzke5.exe
  C:\Users\Admin\iBdqphzke5.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\xiuro.exe
    "C:\Users\Admin\xiuro.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4256
- C:\Users\Admin\astat.exe
  C:\Users\Admin\astat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\astat.exe
    "C:\Users\Admin\astat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- C:\Users\Admin\dstat.exe
  C:\Users\Admin\dstat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4984
- C:\Users\Admin\fstat.exe
  C:\Users\Admin\fstat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 12ce865f30cf09fb1695d51e65f4a3b4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
C:\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
C:\Users\Admin\xiuro.exe

Filesize
244KB

MD5
4fa5bbc07ce013da7bac45d7db719699

SHA1
6c6c66d1ccb8b41200e182ae36ab43dd17ee18e5

SHA256
6cdbc6a7f32e3b9cb707ad6adb04c7107e0fcb0e1f8d12e8f3c00d79c6eb182a

SHA512
fb943fe5cd9b1a7008b088bf7c2c1945bafde5f9706c747537b65cccfb18fc0223c696a47676b1a8bae44c3617fe97e0dfa0f0e9f1e4abfe80b88d7010970e2c

Download Submit
memory/1328-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-46-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1328-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4308-77-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-76-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4308-79-0x0000000002840000-0x0000000002886000-memory.dmp

Filesize
280KB

Download
memory/4308-78-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-80-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4308-81-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-84-0x0000000002840000-0x0000000002886000-memory.dmp

Filesize
280KB

Download