Analysis
-
max time kernel
156s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
74803c97b5e6054b511e635cbfd39141.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
74803c97b5e6054b511e635cbfd39141.exe
Resource
win10v2004-20231215-en
General
-
Target
74803c97b5e6054b511e635cbfd39141.exe
-
Size
460KB
-
MD5
74803c97b5e6054b511e635cbfd39141
-
SHA1
416bf634b6783737e54c11d82fcd48533a3307de
-
SHA256
5be35a8bdb8e5f368f3a4637b23cfc7434fc422af605b87d36c01ff6c9bf76b6
-
SHA512
36ba2d1e751ead945c2c49a5f921f8e407f556c190cbe38ff6f4841536587cc47336f252adfb410eb678349305586fd6047e7c2fb3698c503452d15fd3832968
-
SSDEEP
12288:OlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:OlSt69HNx6T/5xT
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" iBdqphzke5.exe Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nuozaa.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 74803c97b5e6054b511e635cbfd39141.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation iBdqphzke5.exe -
Executes dropped EXE 6 IoCs
pid Process 3936 iBdqphzke5.exe 1404 astat.exe 4028 astat.exe 2548 dstat.exe 4492 nuozaa.exe 2692 fstat.exe -
resource yara_rule behavioral2/memory/4028-17-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4028-20-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4028-22-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/4028-23-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /G" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /y" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /V" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /e" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /v" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /r" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /s" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /S" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /n" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /g" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /B" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /X" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /o" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /R" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /b" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /m" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /K" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /O" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /k" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /Z" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /f" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /C" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /T" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /a" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /M" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /w" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /A" iBdqphzke5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /z" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /I" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /J" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /H" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /Y" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /L" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /p" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /d" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /x" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /j" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /i" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /F" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /N" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /t" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /h" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /l" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /P" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /U" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /u" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /W" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /q" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /A" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /D" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /E" nuozaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuozaa = "C:\\Users\\Admin\\nuozaa.exe /Q" nuozaa.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1404 set thread context of 4028 1404 astat.exe 94 PID 2692 set thread context of 3548 2692 fstat.exe 110 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2188 tasklist.exe 4640 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3936 iBdqphzke5.exe 3936 iBdqphzke5.exe 4028 astat.exe 4028 astat.exe 3936 iBdqphzke5.exe 3936 iBdqphzke5.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe 4492 nuozaa.exe 4492 nuozaa.exe 4028 astat.exe 4028 astat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4640 tasklist.exe Token: SeDebugPrivilege 2692 fstat.exe Token: SeDebugPrivilege 2188 tasklist.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4380 74803c97b5e6054b511e635cbfd39141.exe 3936 iBdqphzke5.exe 1404 astat.exe 2548 dstat.exe 4492 nuozaa.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4380 wrote to memory of 3936 4380 74803c97b5e6054b511e635cbfd39141.exe 90 PID 4380 wrote to memory of 3936 4380 74803c97b5e6054b511e635cbfd39141.exe 90 PID 4380 wrote to memory of 3936 4380 74803c97b5e6054b511e635cbfd39141.exe 90 PID 4380 wrote to memory of 1404 4380 74803c97b5e6054b511e635cbfd39141.exe 93 PID 4380 wrote to memory of 1404 4380 74803c97b5e6054b511e635cbfd39141.exe 93 PID 4380 wrote to memory of 1404 4380 74803c97b5e6054b511e635cbfd39141.exe 93 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 1404 wrote to memory of 4028 1404 astat.exe 94 PID 4380 wrote to memory of 2548 4380 74803c97b5e6054b511e635cbfd39141.exe 95 PID 4380 wrote to memory of 2548 4380 74803c97b5e6054b511e635cbfd39141.exe 95 PID 4380 wrote to memory of 2548 4380 74803c97b5e6054b511e635cbfd39141.exe 95 PID 3936 wrote to memory of 4492 3936 iBdqphzke5.exe 96 PID 3936 wrote to memory of 4492 3936 iBdqphzke5.exe 96 PID 3936 wrote to memory of 4492 3936 iBdqphzke5.exe 96 PID 3936 wrote to memory of 1308 3936 iBdqphzke5.exe 97 PID 3936 wrote to memory of 1308 3936 iBdqphzke5.exe 97 PID 3936 wrote to memory of 1308 3936 iBdqphzke5.exe 97 PID 1308 wrote to memory of 4640 1308 cmd.exe 99 PID 1308 wrote to memory of 4640 1308 cmd.exe 99 PID 1308 wrote to memory of 4640 1308 cmd.exe 99 PID 4492 wrote to memory of 4640 4492 nuozaa.exe 99 PID 4492 wrote to memory of 4640 4492 nuozaa.exe 99 PID 4380 wrote to memory of 2692 4380 74803c97b5e6054b511e635cbfd39141.exe 109 PID 4380 wrote to memory of 2692 4380 74803c97b5e6054b511e635cbfd39141.exe 109 PID 4380 wrote to memory of 2692 4380 74803c97b5e6054b511e635cbfd39141.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 4492 wrote to memory of 2692 4492 nuozaa.exe 109 PID 2692 wrote to memory of 3548 2692 fstat.exe 110 PID 2692 wrote to memory of 3548 2692 fstat.exe 110 PID 2692 wrote to memory of 3548 2692 fstat.exe 110 PID 2692 wrote to memory of 3548 2692 fstat.exe 110 PID 4380 wrote to memory of 4588 4380 74803c97b5e6054b511e635cbfd39141.exe 112 PID 4380 wrote to memory of 4588 4380 74803c97b5e6054b511e635cbfd39141.exe 112 PID 4380 wrote to memory of 4588 4380 74803c97b5e6054b511e635cbfd39141.exe 112 PID 4588 wrote to memory of 2188 4588 cmd.exe 114 PID 4588 wrote to memory of 2188 4588 cmd.exe 114 PID 4588 wrote to memory of 2188 4588 cmd.exe 114 PID 4492 wrote to memory of 2188 4492 nuozaa.exe 114 PID 4492 wrote to memory of 2188 4492 nuozaa.exe 114 PID 4492 wrote to memory of 2188 4492 nuozaa.exe 114 PID 4492 wrote to memory of 2188 4492 nuozaa.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe"C:\Users\Admin\AppData\Local\Temp\74803c97b5e6054b511e635cbfd39141.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\iBdqphzke5.exeC:\Users\Admin\iBdqphzke5.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\nuozaa.exe"C:\Users\Admin\nuozaa.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
-
-
C:\Users\Admin\astat.exeC:\Users\Admin\astat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\astat.exe"C:\Users\Admin\astat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4028
-
-
-
C:\Users\Admin\dstat.exeC:\Users\Admin\dstat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Users\Admin\fstat.exeC:\Users\Admin\fstat.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 74803c97b5e6054b511e635cbfd39141.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD587c6498966e3f85fac743c89050aa312
SHA105c165c34cbfa14e4925c33ace81992b0f50a2b5
SHA25630c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5
SHA512740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420
-
Filesize
36KB
MD5b6da847084e39e0cecf175c32c91b4bb
SHA1fbfd9494fabed5220cdf01866ff088fe7adc535b
SHA256065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe
SHA51259d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2
-
Filesize
271KB
MD534353cf7e1d1b10bcbbcae0745110535
SHA12fb471681daac6f6d66477b7772025da4f58c508
SHA256b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959
SHA5127404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6
-
Filesize
244KB
MD5a4cdb62cf4866a17e742e7e9cc73d237
SHA130d94f8e872455ac569949ac4c768d0a0cdfbba7
SHA256c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32
SHA512c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671
-
Filesize
244KB
MD53b283e702627be95ff64c83d2d6b4723
SHA128a801d2a954582d0d18a57628b1bb8da327fb93
SHA2568fa76c9c541fc0306e4e928db6008b420ef5c1c2ff685a6fce367a4a92204d37
SHA51297ba26eccd90a92b94f49b0ad67e8032cecf62e2d23c6b995ec0fad67f15c935fb5892fee5429c2df92a9988de1211a2537b9db2c6807e7d71ab425ae3ceacd3