3eacab2a9cf4b29a6cf553d416418b87a5790992a3aec606ba9bac6f9fa3fd83

Analysis

max time kernel
3s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d0865d13976c39e606368a3a523ea13.exe
Size

361KB
MD5

0d0865d13976c39e606368a3a523ea13
SHA1

532971503cfb3d4bc3d4157e47a29d9a4b367210
SHA256

3eacab2a9cf4b29a6cf553d416418b87a5790992a3aec606ba9bac6f9fa3fd83
SHA512

a323255c3986140d1548f407e315597c6bc25f70af17c554ee7d6d82b4eaee754b57c04ed7098c55c8528130f8dec0b0331a374c3027a2b0c7bf50d98b6d979f
SSDEEP

6144:MflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:MflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
184	omgeywrojgbztrlj.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5040	ipconfig.exe
3028	ipconfig.exe
4940	ipconfig.exe
2704	ipconfig.exe
556	ipconfig.exe
4396	ipconfig.exe
4416	ipconfig.exe
1768	ipconfig.exe
4160	ipconfig.exe
4768	ipconfig.exe
2404	ipconfig.exe
2040	ipconfig.exe
4432	ipconfig.exe
1632	ipconfig.exe
3684	ipconfig.exe
1156	ipconfig.exe
392	ipconfig.exe
4016	ipconfig.exe
2816	ipconfig.exe
4840	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6BFE2229-A355-11EE-9ECD-F68B0B0A1028} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
184	omgeywrojgbztrlj.exe
184	omgeywrojgbztrlj.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe
2264	0d0865d13976c39e606368a3a523ea13.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	iexplore.exe
1140	iexplore.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 184	2264	0d0865d13976c39e606368a3a523ea13.exe	92
PID 2264 wrote to memory of 184	2264	0d0865d13976c39e606368a3a523ea13.exe	92
PID 2264 wrote to memory of 184	2264	0d0865d13976c39e606368a3a523ea13.exe	92
PID 2264 wrote to memory of 1140	2264	0d0865d13976c39e606368a3a523ea13.exe	93
PID 2264 wrote to memory of 1140	2264	0d0865d13976c39e606368a3a523ea13.exe	93
PID 1140 wrote to memory of 2340	1140	iexplore.exe	94
PID 1140 wrote to memory of 2340	1140	iexplore.exe	94
PID 1140 wrote to memory of 2340	1140	iexplore.exe	94

C:\Users\Admin\AppData\Local\Temp\0d0865d13976c39e606368a3a523ea13.exe
"C:\Users\Admin\AppData\Local\Temp\0d0865d13976c39e606368a3a523ea13.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Temp\omgeywrojgbztrlj.exe
  C:\Temp\omgeywrojgbztrlj.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:184
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wtomgeywro.exe ups_run
    3⤵
    PID:2552
  - - C:\Temp\wtomgeywro.exe
      C:\Temp\wtomgeywro.exe ups_run
      4⤵
      PID:4988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wtomgeywro.exe ups_ins
    3⤵
    PID:3368
  - - C:\windows\system32\ipconfig.exe
      C:\windows\system32\ipconfig.exe /release
      4⤵
      Gathers network information
      PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qojgbztrlj.exe ups_run
    3⤵
    PID:1520
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qojgbztrlj.exe ups_ins
    3⤵
    PID:3100
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigaytqlid.exe ups_run
    3⤵
    PID:3440
  - - C:\Temp\oigaytqlid.exe
      C:\Temp\oigaytqlid.exe ups_run
      4⤵
      PID:336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigaytqlid.exe ups_ins
    3⤵
    PID:1380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nifaysqkid.exe ups_run
    3⤵
    PID:4904
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nifaysqkid.exe ups_ins
    3⤵
    PID:4468
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfaxsqkic.exe ups_run
    3⤵
    PID:540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfaxsqkic.exe ups_ins
    3⤵
    PID:4812
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\snkfcxvpnh.exe ups_run
    3⤵
    PID:4708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_snkfcxvpnh.exe ups_ins
    3⤵
    PID:1708
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkhcausmke.exe ups_run
    3⤵
    PID:3920
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkhcausmke.exe ups_ins
    3⤵
    PID:4460
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhczurmkec.exe ups_run
    3⤵
    PID:3112
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhczurmkec.exe ups_ins
    3⤵
    PID:4768
  - - C:\Temp\i_rojhbztrlj.exe
      C:\Temp\i_rojhbztrlj.exe ups_ins
      4⤵
      PID:4904
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbztrmjeb.exe ups_run
    3⤵
    PID:4496
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbztrmjeb.exe ups_ins
    3⤵
    PID:556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rojhbztrlj.exe ups_run
    3⤵
    PID:4212
  - - C:\Temp\rojhbztrlj.exe
      C:\Temp\rojhbztrlj.exe ups_run
      4⤵
      PID:3216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rojhbztrlj.exe ups_ins
    3⤵
    PID:4768
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\olgeywqojg.exe ups_run
    3⤵
    PID:4204
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_olgeywqojg.exe ups_ins
    3⤵
    PID:3844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nlgdywqoig.exe ups_run
    3⤵
    PID:1480
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nlgdywqoig.exe ups_ins
    3⤵
    PID:1120
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicavsnlfd.exe ups_run
    3⤵
    PID:4516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicavsnlfd.exe ups_ins
    3⤵
    PID:1104
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qkicavsnkf.exe ups_run
    3⤵
    PID:948
  - - C:\Temp\qkicavsnkf.exe
      C:\Temp\qkicavsnkf.exe ups_run
      4⤵
      PID:3220
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qkicavsnkf.exe ups_ins
    3⤵
    PID:5040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nkfcxvpnhf.exe ups_run
    3⤵
    PID:1524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nkfcxvpnhf.exe ups_ins
    3⤵
    PID:1756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhczusmkec.exe ups_run
    3⤵
    PID:2032
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhczusmkec.exe ups_ins
    3⤵
    PID:2016
  - - C:\Temp\i_jhczusmkec.exe
      C:\Temp\i_jhczusmkec.exe ups_ins
      4⤵
      PID:1540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\secwuomhez.exe ups_run
    3⤵
    PID:1688
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_secwuomhez.exe ups_ins
    3⤵
    PID:4544
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mgezwrojhb.exe ups_run
    3⤵
    PID:1676
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mgezwrojhb.exe ups_ins
    3⤵
    PID:4040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jebwtomgey.exe ups_run
    3⤵
    PID:2740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jebwtomgey.exe ups_ins
    3⤵
    PID:1280
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gdywqoigay.exe ups_run
    3⤵
    PID:2004
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17410 /prefetch:2
    3⤵
    PID:2340

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2704

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1480
- C:\Temp\nlgdywqoig.exe
  C:\Temp\nlgdywqoig.exe ups_run
  2⤵
  PID:1380
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
    3⤵
    PID:3164

C:\Temp\i_wtomgeywro.exe
C:\Temp\i_wtomgeywro.exe ups_ins
1⤵
PID:4320

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:556
- C:\Temp\i_jhbztrmjeb.exe
  C:\Temp\i_jhbztrmjeb.exe ups_ins
  2⤵
  PID:2332

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2816

C:\Temp\qojgbztrlj.exe
C:\Temp\qojgbztrlj.exe ups_run
1⤵
PID:3260

C:\Temp\i_qojgbztrlj.exe
C:\Temp\i_qojgbztrlj.exe ups_ins
1⤵
PID:2836

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:392

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:5060

C:\Temp\i_oigaytqlid.exe
C:\Temp\i_oigaytqlid.exe ups_ins
1⤵
PID:2128

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4416

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2556
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:2964

C:\Temp\nifaysqkid.exe
C:\Temp\nifaysqkid.exe ups_run
1⤵
PID:372

C:\Temp\i_nifaysqkid.exe
C:\Temp\i_nifaysqkid.exe ups_ins
1⤵
PID:1476

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4768
- C:\Temp\i_jhczurmkec.exe
  C:\Temp\i_jhczurmkec.exe ups_ins
  2⤵
  PID:1184

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:4212

C:\Temp\nhfaxsqkic.exe
C:\Temp\nhfaxsqkic.exe ups_run
1⤵
PID:988

C:\Temp\i_nhfaxsqkic.exe
C:\Temp\i_nhfaxsqkic.exe ups_ins
1⤵
PID:2928

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4016

C:\Temp\snkfcxvpnh.exe
C:\Temp\snkfcxvpnh.exe ups_run
1⤵
PID:2556

C:\Temp\i_snkfcxvpnh.exe
C:\Temp\i_snkfcxvpnh.exe ups_ins
1⤵
PID:1752

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2816

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:5088

C:\Temp\pkhcausmke.exe
C:\Temp\pkhcausmke.exe ups_run
1⤵
PID:4620

C:\Temp\i_pkhcausmke.exe
C:\Temp\i_pkhcausmke.exe ups_ins
1⤵
PID:3100

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:2040

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:3204

C:\Temp\jhczurmkec.exe
C:\Temp\jhczurmkec.exe ups_run
1⤵
PID:3684

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:4396

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:3432

C:\Temp\jhbztrmjeb.exe
C:\Temp\jhbztrmjeb.exe ups_run
1⤵
PID:4664

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:624
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:4432

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:3832
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:2404

C:\Temp\olgeywqojg.exe
C:\Temp\olgeywqojg.exe ups_run
1⤵
PID:1756
- C:\Temp\i_nkfcxvpnhf.exe
  C:\Temp\i_nkfcxvpnhf.exe ups_ins
  2⤵
  PID:1276

C:\Temp\i_olgeywqojg.exe
C:\Temp\i_olgeywqojg.exe ups_ins
1⤵
PID:1156

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:5040
- C:\Temp\i_qkicavsnkf.exe
  C:\Temp\i_qkicavsnkf.exe ups_ins
  2⤵
  PID:3584

C:\Temp\i_nlgdywqoig.exe
C:\Temp\i_nlgdywqoig.exe ups_ins
1⤵
PID:4832

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1632
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:3028

C:\Temp\kicavsnlfd.exe
C:\Temp\kicavsnlfd.exe ups_run
1⤵
PID:1108

C:\Temp\i_kicavsnlfd.exe
C:\Temp\i_kicavsnlfd.exe ups_ins
1⤵
PID:4824

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1768

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:4188

C:\Temp\nkfcxvpnhf.exe
C:\Temp\nkfcxvpnhf.exe ups_run
1⤵
PID:4960
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:3368

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:4012
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:3684
- - C:\windows\system32\ipconfig.exe
    C:\windows\system32\ipconfig.exe /release
    3⤵
    - Gathers network information
    PID:4940

C:\Temp\jhczusmkec.exe
C:\Temp\jhczusmkec.exe ups_run
1⤵
PID:4804

C:\Temp\secwuomhez.exe
C:\Temp\secwuomhez.exe ups_run
1⤵
PID:768
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:5068

C:\windows\system32\ipconfig.exe
C:\windows\system32\ipconfig.exe /release
1⤵
- Gathers network information
PID:1156

C:\Temp\i_secwuomhez.exe
C:\Temp\i_secwuomhez.exe ups_ins
1⤵
PID:4516

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:2536
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:4160

C:\Temp\mgezwrojhb.exe
C:\Temp\mgezwrojhb.exe ups_run
1⤵
PID:2780

C:\Temp\i_mgezwrojhb.exe
C:\Temp\i_mgezwrojhb.exe ups_ins
1⤵
PID:348

C:\temp\CreateProcess.exe
C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
1⤵
PID:1092
- C:\windows\system32\ipconfig.exe
  C:\windows\system32\ipconfig.exe /release
  2⤵
  - Gathers network information
  PID:4840

C:\Temp\jebwtomgey.exe
C:\Temp\jebwtomgey.exe ups_run
1⤵
PID:2232

C:\Temp\i_jebwtomgey.exe
C:\Temp\i_jebwtomgey.exe ups_ins
1⤵
PID:2876

C:\Temp\gdywqoigay.exe
C:\Temp\gdywqoigay.exe ups_run
1⤵
PID:4480
- C:\temp\CreateProcess.exe
  C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
  2⤵
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\jhbztrmjeb.exe

Filesize
361KB

MD5
c24b33e5419daca12ed1de7c4c9cfc38

SHA1
ddcd7fe8b1789e524d77a13956133d3eaf0ad40b

SHA256
5bbc8e6d560ebf3de924cbc223be96380c904422871ea3f7a3fca39b65a986f0

SHA512
f12cebefb4e8a4eece34671be4d1bc5889d38bf534783fdb9827fd9066fa1c12b1f34cb5bad3ce752940374c749383dc0b32b49f3924adfdcaa570708eb80674

Download Submit
C:\Temp\jhbztrmjeb.exe

Filesize
92KB

MD5
10e0e5c5ae13b3814591079142ee4c76

SHA1
a550f3490b376b338e9583fb194dc76e36eea14c

SHA256
a8b2e6119fa5b061c3cfffe50b154343b044e4f6da0c24c16434c09af009b22e

SHA512
9fad49664bca334e85e52e2186e37a45615687f42b8f3c1da34b43ad106397abd9cdc368e2e4f8a4f049615285235713c71149ad340ba0884c2f2e505a7df270

Download Submit
C:\Temp\omgeywrojgbztrlj.exe

Filesize
361KB

MD5
ca7cb8117eb9f56ff3bf9b271d202ff6

SHA1
6e4590f0acad2e3f1862d64ec6dfe35ecd3b44cd

SHA256
a6956bb28c1568f1f55cf3b4ed9b8d036454db2c2c6648fa4f517115976167c8

SHA512
a9047188b477ce0124cb2c543cd18d7b11b6ef4b063327c6ca389db358575fe32a645b4b49beb073937d22c0aa57f3ebd4cbbab54f7eaff3abcf85c65156afad

Download Submit
C:\Temp\omgeywrojgbztrlj.exe

Filesize
92KB

MD5
3133d5c15c46ccfb9d5d8b60bef24fe4

SHA1
cdb583b06b1317c6cae4a9d0fb3f07429210aec0

SHA256
ca8172581a5c4f815998ee2fe62a602e591976c3f4b950903f0c3d4e148ddf8d

SHA512
992f232ee056b0258a833662dd5f6e2bf1f222262bbd3eaf06ce24421721359ee557b823f1e817ddb3a56dd69db159661ee3a166b77ffea3fcc6cca245952d64

Download Submit
C:\Temp\wtomgeywro.exe

Filesize
361KB

MD5
16252f0eb8e4f58635054f791f73cc93

SHA1
8df83992767d24465fd2562befe0f804d9292b23

SHA256
84fb30e6b36c1a4a5dc1cbc01ff392c2c54ce36c1be026f0044ba2adfe3098e5

SHA512
c3deafb437c9fb5f011be5130fbc75d29f9159153aea6ace3c80338afae360dbb53bd1c2d8d735a044c25fae22602bde1102e9a8b3acbd711f3a67176de95c4c

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
c41f5ceac2d70d838d6b41965872e697

SHA1
c287823cea9ae8ef151f89874e338eac9231fe72

SHA256
7256aa1a39f12d39af9ee0d99b3e76f0f55ee8047214235e69d61ab30ae9340a

SHA512
d0a6ba9f423eaa8f90eebc14c81063458c09d7ac30ae1ef6111dc4dd5e570f414b2b5ffbdae50b7fe4a41a281860dc81c09ce3e0e40210468d8550c2de0bffa8

Download Submit