7b9a2506298ce1632a7f3233d5d83d22b89a257715204b1e64bfdf61784751c9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

462507f254269c493bba5d6b953b6117.exe
Size

456KB
MD5

462507f254269c493bba5d6b953b6117
SHA1

05a2ea36621beff172e1db99594dec2b679ea8a9
SHA256

7b9a2506298ce1632a7f3233d5d83d22b89a257715204b1e64bfdf61784751c9
SHA512

968722ed35e4ab6742e0de6f44407636750968a65d62ec8f88242b84eeb6dcc4204500608d05fafbb6f520623730282418aa14eff2f20cbc66a68ce38fd9bfb8
SSDEEP

12288:z4ik34n1GxipPy4ZNj2mOb/DNlq41TzXe9Yv:z4ik34n15iN/5lq41Tzuq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	u8kSVi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	heomiu.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1996	u8kSVi.exe
2260	heomiu.exe
2556	alay.exe
2840	alay.exe
2608	dlay.exe
2336	flay.exe

Loads dropped DLL 14 IoCs

pid	Process
2940	462507f254269c493bba5d6b953b6117.exe
2940	462507f254269c493bba5d6b953b6117.exe
1996	u8kSVi.exe
1996	u8kSVi.exe
2940	462507f254269c493bba5d6b953b6117.exe
2940	462507f254269c493bba5d6b953b6117.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2940	462507f254269c493bba5d6b953b6117.exe
2940	462507f254269c493bba5d6b953b6117.exe
2940	462507f254269c493bba5d6b953b6117.exe
2940	462507f254269c493bba5d6b953b6117.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2840-53-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2840-52-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2840-50-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2840-47-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2840-43-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2840-41-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /O"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /P"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /A"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /Z"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /B"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /I"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /i"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /w"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /x"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /f"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /g"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /b"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /V"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /Y"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /o"	u8kSVi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /M"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /T"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /E"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /m"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /p"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /c"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /X"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /F"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /G"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /k"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /j"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /l"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /y"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /o"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /t"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /W"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /q"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /K"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /N"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /C"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /e"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /d"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /H"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /a"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /r"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /s"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /R"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /h"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /n"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /v"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /D"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /z"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /U"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /S"	heomiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heomiu = "C:\\Users\\Admin\\heomiu.exe /J"	heomiu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2840	2556	alay.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2444	2840	WerFault.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2656	tasklist.exe
1624	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	u8kSVi.exe
1996	u8kSVi.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe
2260	heomiu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	tasklist.exe
Token: SeDebugPrivilege	2336	flay.exe
Token: SeDebugPrivilege	1624	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2940	462507f254269c493bba5d6b953b6117.exe
1996	u8kSVi.exe
2260	heomiu.exe
2556	alay.exe
2608	dlay.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1996	2940	462507f254269c493bba5d6b953b6117.exe	22
PID 2940 wrote to memory of 1996	2940	462507f254269c493bba5d6b953b6117.exe	22
PID 2940 wrote to memory of 1996	2940	462507f254269c493bba5d6b953b6117.exe	22
PID 2940 wrote to memory of 1996	2940	462507f254269c493bba5d6b953b6117.exe	22
PID 1996 wrote to memory of 2260	1996	u8kSVi.exe	37
PID 1996 wrote to memory of 2260	1996	u8kSVi.exe	37
PID 1996 wrote to memory of 2260	1996	u8kSVi.exe	37
PID 1996 wrote to memory of 2260	1996	u8kSVi.exe	37
PID 1996 wrote to memory of 2568	1996	u8kSVi.exe	36
PID 1996 wrote to memory of 2568	1996	u8kSVi.exe	36
PID 1996 wrote to memory of 2568	1996	u8kSVi.exe	36
PID 1996 wrote to memory of 2568	1996	u8kSVi.exe	36
PID 2568 wrote to memory of 2656	2568	cmd.exe	29
PID 2568 wrote to memory of 2656	2568	cmd.exe	29
PID 2568 wrote to memory of 2656	2568	cmd.exe	29
PID 2568 wrote to memory of 2656	2568	cmd.exe	29
PID 2940 wrote to memory of 2556	2940	462507f254269c493bba5d6b953b6117.exe	34
PID 2940 wrote to memory of 2556	2940	462507f254269c493bba5d6b953b6117.exe	34
PID 2940 wrote to memory of 2556	2940	462507f254269c493bba5d6b953b6117.exe	34
PID 2940 wrote to memory of 2556	2940	462507f254269c493bba5d6b953b6117.exe	34
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2556 wrote to memory of 2840	2556	alay.exe	33
PID 2840 wrote to memory of 2444	2840	alay.exe	31
PID 2840 wrote to memory of 2444	2840	alay.exe	31
PID 2840 wrote to memory of 2444	2840	alay.exe	31
PID 2840 wrote to memory of 2444	2840	alay.exe	31
PID 2940 wrote to memory of 2608	2940	462507f254269c493bba5d6b953b6117.exe	32
PID 2940 wrote to memory of 2608	2940	462507f254269c493bba5d6b953b6117.exe	32
PID 2940 wrote to memory of 2608	2940	462507f254269c493bba5d6b953b6117.exe	32
PID 2940 wrote to memory of 2608	2940	462507f254269c493bba5d6b953b6117.exe	32
PID 2940 wrote to memory of 2336	2940	462507f254269c493bba5d6b953b6117.exe	38
PID 2940 wrote to memory of 2336	2940	462507f254269c493bba5d6b953b6117.exe	38
PID 2940 wrote to memory of 2336	2940	462507f254269c493bba5d6b953b6117.exe	38
PID 2940 wrote to memory of 2336	2940	462507f254269c493bba5d6b953b6117.exe	38
PID 2336 wrote to memory of 2992	2336	flay.exe	39
PID 2336 wrote to memory of 2992	2336	flay.exe	39
PID 2336 wrote to memory of 2992	2336	flay.exe	39
PID 2336 wrote to memory of 2992	2336	flay.exe	39
PID 2940 wrote to memory of 3020	2940	462507f254269c493bba5d6b953b6117.exe	42
PID 2940 wrote to memory of 3020	2940	462507f254269c493bba5d6b953b6117.exe	42
PID 2940 wrote to memory of 3020	2940	462507f254269c493bba5d6b953b6117.exe	42
PID 2940 wrote to memory of 3020	2940	462507f254269c493bba5d6b953b6117.exe	42
PID 3020 wrote to memory of 1624	3020	cmd.exe	40
PID 3020 wrote to memory of 1624	3020	cmd.exe	40
PID 3020 wrote to memory of 1624	3020	cmd.exe	40
PID 3020 wrote to memory of 1624	3020	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\462507f254269c493bba5d6b953b6117.exe
"C:\Users\Admin\AppData\Local\Temp\462507f254269c493bba5d6b953b6117.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\u8kSVi.exe
  C:\Users\Admin\u8kSVi.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del u8kSVi.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
- - C:\Users\Admin\heomiu.exe
    "C:\Users\Admin\heomiu.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2260
- C:\Users\Admin\dlay.exe
  C:\Users\Admin\dlay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Users\Admin\alay.exe
  C:\Users\Admin\alay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- C:\Users\Admin\flay.exe
  C:\Users\Admin\flay.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 462507f254269c493bba5d6b953b6117.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3020

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 88
1⤵
- Loads dropped DLL
- Program crash
PID:2444

C:\Users\Admin\alay.exe
"C:\Users\Admin\alay.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\heomiu.exe

Filesize
93KB

MD5
21ecd0513bd436bc1b5dfe710c6cc737

SHA1
a11a2d39cd7e5d37b94a8fd768bfa27334aa94c5

SHA256
90fad70b9e022dfb44c8b9c5da8456268b977cf957ef24842062e9d6084981d9

SHA512
62721629ce204ec007afdc65aabe95b655efa57fec3f697fc435505d0fa582fc238d439eb8727560294e537a53ec833a429e9e938978d93dba70a551cd7c801b

Download Submit
\Users\Admin\heomiu.exe

Filesize
92KB

MD5
b6e8f29c9f13f19f6ddd8b711e59ac50

SHA1
a64877f22eb33ff51d4253c228a22087fe06b521

SHA256
26dd333a87795d11d1422f8fc036da053896e44f5c2e89ecd763f544a2142f86

SHA512
c79b6f89770401eb025d7002fe466561b5e94eff458ebde8545f647ecb9ca888907a967edb1fa476eb5e8c7aa9de8a4b48344339297df1506fa9f0712576a1e7

Download Submit
\Users\Admin\u8kSVi.exe

Filesize
248KB

MD5
76a6dee598367ca2ce4e90457622eb62

SHA1
067b85364f34f26292739ea3c04706335c7a9ee4

SHA256
2bae3eab43e8f1761f7aa29d259d9966bc8d8f19303a53f57b7d1d4e9b11929d

SHA512
8125d4643b0cb63496eae85fae0907bb36c82100fd35af76dadb787b82af7d4014f071e63e2bf07021145786e11a64662693c0502cc2ba6df31a4be917c0474f

Download Submit
memory/1996-28-0x0000000003FE0000-0x0000000004A9A000-memory.dmp

Filesize
10.7MB

Download
memory/2336-95-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-94-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-99-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2336-100-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/2336-101-0x0000000003150000-0x0000000003190000-memory.dmp

Filesize
256KB

Download
memory/2336-82-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2336-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2336-93-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-78-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2336-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2336-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2336-81-0x00000000023A0000-0x0000000002406000-memory.dmp

Filesize
408KB

Download
memory/2336-90-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-87-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-91-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-84-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2336-92-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2336-97-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2336-96-0x0000000003150000-0x0000000003190000-memory.dmp

Filesize
256KB

Download
memory/2840-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-53-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-41-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2840-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download