8e6e2021f24594178fae898530f54772a4d5a26fa8d30081bb90b48d92f8e5a8

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

368b3822f5dcba598b38b220eecc8787.exe
Size

221KB
MD5

368b3822f5dcba598b38b220eecc8787
SHA1

028bd579edfa963de3ec8c63b2199df13bed6dca
SHA256

8e6e2021f24594178fae898530f54772a4d5a26fa8d30081bb90b48d92f8e5a8
SHA512

696a3a78553552c49d7cb81834cdefa57862079fe187ff463ed25a7d3804cb2ba8ef346098900fd3dcc4e274a1dbd547e8441acbe8c9a333be7c45da72ab8c32
SSDEEP

6144:daxbtfxcUGkAStG1mCazOyD3qK12kibCoM4Q6D:daxbtf/84G1m9Og68CCt4Q6D

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2836	mscorsvw.exe
2864	mscorsvw.exe
2512	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3627615824-4061627003-3019543961-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3627615824-4061627003-3019543961-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\G:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\L:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\I:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\P:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\U:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\Y:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\W:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\J:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\M:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\O:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\Q:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\T:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\V:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\H:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\S:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\Z:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\N:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\R:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\X:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\E:	368b3822f5dcba598b38b220eecc8787.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	368b3822f5dcba598b38b220eecc8787.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	368b3822f5dcba598b38b220eecc8787.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	368b3822f5dcba598b38b220eecc8787.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	368b3822f5dcba598b38b220eecc8787.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	368b3822f5dcba598b38b220eecc8787.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	368b3822f5dcba598b38b220eecc8787.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99218261-3900-4106-8278-DE470508B737}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	368b3822f5dcba598b38b220eecc8787.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{99218261-3900-4106-8278-DE470508B737}.crmlog	dllhost.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	368b3822f5dcba598b38b220eecc8787.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE
2512	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2204	368b3822f5dcba598b38b220eecc8787.exe
Token: SeRestorePrivilege	2560	msiexec.exe
Token: SeTakeOwnershipPrivilege	2560	msiexec.exe
Token: SeSecurityPrivilege	2560	msiexec.exe
Token: SeTakeOwnershipPrivilege	2512	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\368b3822f5dcba598b38b220eecc8787.exe
"C:\Users\Admin\AppData\Local\Temp\368b3822f5dcba598b38b220eecc8787.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2836

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
300KB

MD5
f228f45453fba62091ee3f542fa2967f

SHA1
16912867da3f40c4e25fb0d502483b16b8315016

SHA256
1eb396a66e411d5a520030f225f6b9ca84ecbd74c0e55072dc6fe61970ce7639

SHA512
19de2ae158eef6e157db28d8ba23e2d49b6ba30be39f875e6b3dba28513fb4e18bd071a1d18d218de828c32fdc2cc644614feb1e6bba3687b7e31a43562d71b1

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
300KB

MD5
e1de704a05db29b7d520ca0f8bc0aeb9

SHA1
18c3416c0a49870063036beb3e0dcd6b8cdf001d

SHA256
3e9538ee96e75cc41f018e3f88c6b33f05251c4a663bdb6dfe805a9cb1dbdc11

SHA512
bef982c5cb401d2b3a1a62ff0b8b5951f63d33c0dab88504672725e4f928295153b9fa41f2d328beffdc18665c4aa2b7e3c2fa28dea1ce0efe742de3f05fe2a6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
219KB

MD5
4ea8a06ab65d8ee4f1d722c758f00be0

SHA1
fb41a780f0ab0714b0ac7d379a1300264db20808

SHA256
117c0abc9e9edf13dbb55d6e7fa0a2b8f105439e3a0bc4183efec3d9f9079995

SHA512
f852c5a901098c1a9a74858025a55b76f4d68ee278b259682b47660441dcd7da8a43092cf8d0054953006a46842e7fe1908cf1fd0a13bce32b281b71f3ea7b88

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
384KB

MD5
15a46ed835e642a927c2a7ec4ae0f8bc

SHA1
7ec43b768828ca090a510768416202f843f1fafe

SHA256
3777b26a241cecf480de6831035b1249204c9eeb3c5c870b63c77b622d372a78

SHA512
35c787f56faf3836b4adc0c342b26c0354dbf238790f5849925fb413b15c57cd3cd0e1a5bd91d7baad9689b2d34ba29a8517843bbd1b0dd2e90e130782daa229

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
250KB

MD5
64f7df9282ce11f9b27ee9305b4d86b0

SHA1
372a72366513e69e2a4fff06cdbfb38072e90414

SHA256
643c5e3044608e254934681ef879532bcec3fa797cffa1c7577e549544898c76

SHA512
8495bc6ddf62fe463e746283ace480002d32d0972815a983241a54d1c6970b1c2ae21034aa0e3b2cc782d16f7eb28d4a1e0a646e5281bb3366fe3cb24eb11555

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
459KB

MD5
8fd7cdf13899bba74640bf5930caa210

SHA1
5851de41f8c8d2f7616881f1c2d43e98f73496ee

SHA256
8f975842ebc1a09f7d7de198539f22180f684cbbf909d6e21c3289c1b7069586

SHA512
4d4dd6019facea2b349de9ac30ad88fffb07ff00890ffa677d0fd54ae27f8c9251659bc07f0812e6ad66e52e444e6efc518ac47724ab1f72db50006c0a6527a2

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
578KB

MD5
32827f057735b23c77957f6e0dfb3678

SHA1
ed09c944f081ce75345c1b36f01d0c79a0d0d9fa

SHA256
0406071d56e4accf58bd09bba94e4db7c2a81dbbe060af25cc09d759d5ba2665

SHA512
053c6e6d160330f0218b35e8abf98de0e573f5c43d3603770af6411b6d62127372c0bfe288adf8c99803ded688549b1328bca9fa340bad7bcd97329ffc787e78

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
180KB

MD5
73ef34397dd3c8c53884028b634ad82d

SHA1
644920fc9e6639e7f45c5ef02ef70df575ff25c5

SHA256
fc68dff26395c45650be1e054df4e08d89c7a1c939f76d0b50312476d9ae0fd6

SHA512
3d4e9a3a65955085f5d02b78471a165fbbc7033898ce8ecc4cc07f70d1410c9a6b1f05fc4724d5ad35465a11186e7bc47641b320516013fbc653ea78c08dd01e

Download Submit
memory/2204-0-0x0000000001000000-0x000000000108D000-memory.dmp

Filesize
564KB

Download
memory/2204-1-0x0000000001000000-0x000000000108D000-memory.dmp

Filesize
564KB

Download
memory/2204-45-0x0000000001000000-0x000000000108D000-memory.dmp

Filesize
564KB

Download
memory/2512-46-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/2512-44-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/2512-83-0x000000002E000000-0x000000002E090000-memory.dmp

Filesize
576KB

Download
memory/2836-20-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/2836-13-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/2836-12-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/2864-26-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download