7c845109aef9d82f21a3e27e4177347ba5e9297fb95eb8b6cd45baf088895c31

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a17a36109ade863e28497b4273e7cb8.exe
Size

361KB
MD5

7a17a36109ade863e28497b4273e7cb8
SHA1

8e6d9d76c4cb26273f77730b3be28bc63faacb0a
SHA256

7c845109aef9d82f21a3e27e4177347ba5e9297fb95eb8b6cd45baf088895c31
SHA512

d5fe38a6fb3198545ae6df187cabd1fc44def196d7408d01650f40f07e68b9ce9fd295bf3b9bf14e951c5d1cdb7f74d789fc400545cee1cd90c0e6a441eb2ef7
SSDEEP

6144:BflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:BflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 36 IoCs

pid	Process
2472	davtnifaysmkfcxr.exe
2900	CreateProcess.exe
2596	wtoigaytnl.exe
2392	CreateProcess.exe
1396	CreateProcess.exe
1712	i_wtoigaytnl.exe
1740	CreateProcess.exe
1060	aysnkfcxrp.exe
556	CreateProcess.exe
2856	CreateProcess.exe
312	i_aysnkfcxrp.exe
2100	CreateProcess.exe
2188	tnhfaxsmkf.exe
1408	CreateProcess.exe
384	CreateProcess.exe
436	i_tnhfaxsmkf.exe
1944	CreateProcess.exe
1664	ecwuojgbzt.exe
1812	CreateProcess.exe
2672	CreateProcess.exe
2804	i_ecwuojgbzt.exe
2180	CreateProcess.exe
2880	vtoigaysnl.exe
2300	CreateProcess.exe
2348	CreateProcess.exe
2284	i_vtoigaysnl.exe
612	CreateProcess.exe
1516	geywqljdbv.exe
268	CreateProcess.exe
2860	CreateProcess.exe
608	i_geywqljdbv.exe
1364	CreateProcess.exe
2612	lgdywqkida.exe
1368	CreateProcess.exe
1052	CreateProcess.exe
2040	i_lgdywqkida.exe

Loads dropped DLL 23 IoCs

pid	Process
1632	7a17a36109ade863e28497b4273e7cb8.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2596	wtoigaytnl.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
1060	aysnkfcxrp.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2188	tnhfaxsmkf.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
1664	ecwuojgbzt.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2880	vtoigaysnl.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
1516	geywqljdbv.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2612	lgdywqkida.exe
2472	davtnifaysmkfcxr.exe

Gathers network information 2 TTPs 7 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1884	ipconfig.exe
1280	ipconfig.exe
1188	ipconfig.exe
520	ipconfig.exe
1472	ipconfig.exe
832	ipconfig.exe
1080	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5DD6340-A534-11EE-9324-DED0D00124D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409897473"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd76917334189000000000200000000001066000000010000200000003088862ed00a3618ea8c9287b2a8f3ed105ab9dc72e8f9545409148a2a0e608c000000000e8000000002000020000000bf6bbe23539656ebaa1898f55be0a1a5a5dfb42ac4f1612d98d4e3e8375475a820000000da66f2d9133ef1c623e75b44bde0619b1c50bc29f8ab02bea0dcf47a807d0dae400000007bc56d43d49ae02981a3a9d643d7465b66382cdc9e75ced99b21baf7feaa4368e939fdd247ad44595aae586bc21166339b82eedf3710584169a77e87bdc85ad2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5050bf804139da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000429d3af34477a14f8b2dd769173341890000000002000000000010660000000100002000000069f74efc36f33ab9125facb26d3ec01fdeb095082234ffa076487f4edd8fd16d000000000e8000000002000020000000f32a183e34a8708d56af9baa78abe3ccd60c7b8b3c426155e7862f865b41d9359000000097f7ed9e907ab6829a33e439f154c3657e2aa3e88b61b0399b1665cb080d906330725548dd1977d4df0f212116a9653a1dc3103e4e214ce8d8659ab3d1e1c136c158eff7ed0cb8cf55c1fe1849978b42edf4d8d703a03151bc475f32cdbc28a11c89ff7a7d7cc90c6053b12fbd21dffba950e82d2673798031a3423ffcaccde1279c28d6ecd72b1511618ea7f97735554000000001bc4e038b49ca5f39dbcf9452817801ed266c38c6ce8424d8fbf0052000d8fb347ce41ba7c1abd5d8b0555f7d3a6b86e045838f6e50820bacc6f87abe93d590	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
1632	7a17a36109ade863e28497b4273e7cb8.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2472	davtnifaysmkfcxr.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
2596	wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1712	i_wtoigaytnl.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
1060	aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
312	i_aysnkfcxrp.exe
2188	tnhfaxsmkf.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	i_wtoigaytnl.exe
Token: SeDebugPrivilege	312	i_aysnkfcxrp.exe
Token: SeDebugPrivilege	436	i_tnhfaxsmkf.exe
Token: SeDebugPrivilege	2804	i_ecwuojgbzt.exe
Token: SeDebugPrivilege	2284	i_vtoigaysnl.exe
Token: SeDebugPrivilege	608	i_geywqljdbv.exe
Token: SeDebugPrivilege	2040	i_lgdywqkida.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2828	iexplore.exe
2828	iexplore.exe
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2472	1632	7a17a36109ade863e28497b4273e7cb8.exe	29
PID 1632 wrote to memory of 2472	1632	7a17a36109ade863e28497b4273e7cb8.exe	29
PID 1632 wrote to memory of 2472	1632	7a17a36109ade863e28497b4273e7cb8.exe	29
PID 1632 wrote to memory of 2472	1632	7a17a36109ade863e28497b4273e7cb8.exe	29
PID 1632 wrote to memory of 2828	1632	7a17a36109ade863e28497b4273e7cb8.exe	28
PID 1632 wrote to memory of 2828	1632	7a17a36109ade863e28497b4273e7cb8.exe	28
PID 1632 wrote to memory of 2828	1632	7a17a36109ade863e28497b4273e7cb8.exe	28
PID 1632 wrote to memory of 2828	1632	7a17a36109ade863e28497b4273e7cb8.exe	28
PID 2828 wrote to memory of 2552	2828	iexplore.exe	31
PID 2828 wrote to memory of 2552	2828	iexplore.exe	31
PID 2828 wrote to memory of 2552	2828	iexplore.exe	31
PID 2828 wrote to memory of 2552	2828	iexplore.exe	31
PID 2472 wrote to memory of 2900	2472	davtnifaysmkfcxr.exe	33
PID 2472 wrote to memory of 2900	2472	davtnifaysmkfcxr.exe	33
PID 2472 wrote to memory of 2900	2472	davtnifaysmkfcxr.exe	33
PID 2472 wrote to memory of 2900	2472	davtnifaysmkfcxr.exe	33
PID 2596 wrote to memory of 2392	2596	wtoigaytnl.exe	35
PID 2596 wrote to memory of 2392	2596	wtoigaytnl.exe	35
PID 2596 wrote to memory of 2392	2596	wtoigaytnl.exe	35
PID 2596 wrote to memory of 2392	2596	wtoigaytnl.exe	35
PID 2472 wrote to memory of 1396	2472	davtnifaysmkfcxr.exe	39
PID 2472 wrote to memory of 1396	2472	davtnifaysmkfcxr.exe	39
PID 2472 wrote to memory of 1396	2472	davtnifaysmkfcxr.exe	39
PID 2472 wrote to memory of 1396	2472	davtnifaysmkfcxr.exe	39
PID 2472 wrote to memory of 1740	2472	davtnifaysmkfcxr.exe	41
PID 2472 wrote to memory of 1740	2472	davtnifaysmkfcxr.exe	41
PID 2472 wrote to memory of 1740	2472	davtnifaysmkfcxr.exe	41
PID 2472 wrote to memory of 1740	2472	davtnifaysmkfcxr.exe	41
PID 1060 wrote to memory of 556	1060	aysnkfcxrp.exe	43
PID 1060 wrote to memory of 556	1060	aysnkfcxrp.exe	43
PID 1060 wrote to memory of 556	1060	aysnkfcxrp.exe	43
PID 1060 wrote to memory of 556	1060	aysnkfcxrp.exe	43
PID 2472 wrote to memory of 2856	2472	davtnifaysmkfcxr.exe	46
PID 2472 wrote to memory of 2856	2472	davtnifaysmkfcxr.exe	46
PID 2472 wrote to memory of 2856	2472	davtnifaysmkfcxr.exe	46
PID 2472 wrote to memory of 2856	2472	davtnifaysmkfcxr.exe	46
PID 2472 wrote to memory of 2100	2472	davtnifaysmkfcxr.exe	48
PID 2472 wrote to memory of 2100	2472	davtnifaysmkfcxr.exe	48
PID 2472 wrote to memory of 2100	2472	davtnifaysmkfcxr.exe	48
PID 2472 wrote to memory of 2100	2472	davtnifaysmkfcxr.exe	48
PID 2188 wrote to memory of 1408	2188	tnhfaxsmkf.exe	50
PID 2188 wrote to memory of 1408	2188	tnhfaxsmkf.exe	50
PID 2188 wrote to memory of 1408	2188	tnhfaxsmkf.exe	50
PID 2188 wrote to memory of 1408	2188	tnhfaxsmkf.exe	50
PID 2472 wrote to memory of 384	2472	davtnifaysmkfcxr.exe	53
PID 2472 wrote to memory of 384	2472	davtnifaysmkfcxr.exe	53
PID 2472 wrote to memory of 384	2472	davtnifaysmkfcxr.exe	53
PID 2472 wrote to memory of 384	2472	davtnifaysmkfcxr.exe	53
PID 2472 wrote to memory of 1944	2472	davtnifaysmkfcxr.exe	55
PID 2472 wrote to memory of 1944	2472	davtnifaysmkfcxr.exe	55
PID 2472 wrote to memory of 1944	2472	davtnifaysmkfcxr.exe	55
PID 2472 wrote to memory of 1944	2472	davtnifaysmkfcxr.exe	55
PID 1664 wrote to memory of 1812	1664	ecwuojgbzt.exe	57
PID 1664 wrote to memory of 1812	1664	ecwuojgbzt.exe	57
PID 1664 wrote to memory of 1812	1664	ecwuojgbzt.exe	57
PID 1664 wrote to memory of 1812	1664	ecwuojgbzt.exe	57
PID 2472 wrote to memory of 2672	2472	davtnifaysmkfcxr.exe	60
PID 2472 wrote to memory of 2672	2472	davtnifaysmkfcxr.exe	60
PID 2472 wrote to memory of 2672	2472	davtnifaysmkfcxr.exe	60
PID 2472 wrote to memory of 2672	2472	davtnifaysmkfcxr.exe	60
PID 2472 wrote to memory of 2180	2472	davtnifaysmkfcxr.exe	62
PID 2472 wrote to memory of 2180	2472	davtnifaysmkfcxr.exe	62
PID 2472 wrote to memory of 2180	2472	davtnifaysmkfcxr.exe	62
PID 2472 wrote to memory of 2180	2472	davtnifaysmkfcxr.exe	62

C:\Users\Admin\AppData\Local\Temp\7a17a36109ade863e28497b4273e7cb8.exe
"C:\Users\Admin\AppData\Local\Temp\7a17a36109ade863e28497b4273e7cb8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2552
- C:\Temp\davtnifaysmkfcxr.exe
  C:\Temp\davtnifaysmkfcxr.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wtoigaytnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2900
  - - C:\Temp\wtoigaytnl.exe
      C:\Temp\wtoigaytnl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2392
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:520
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wtoigaytnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1396
  - - C:\Temp\i_wtoigaytnl.exe
      C:\Temp\i_wtoigaytnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\aysnkfcxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1740
  - - C:\Temp\aysnkfcxrp.exe
      C:\Temp\aysnkfcxrp.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:556
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1472
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_aysnkfcxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2856
  - - C:\Temp\i_aysnkfcxrp.exe
      C:\Temp\i_aysnkfcxrp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:312
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnhfaxsmkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2100
  - - C:\Temp\tnhfaxsmkf.exe
      C:\Temp\tnhfaxsmkf.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1408
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:832
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnhfaxsmkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:384
  - - C:\Temp\i_tnhfaxsmkf.exe
      C:\Temp\i_tnhfaxsmkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwuojgbzt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1944
  - - C:\Temp\ecwuojgbzt.exe
      C:\Temp\ecwuojgbzt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1812
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwuojgbzt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2672
  - - C:\Temp\i_ecwuojgbzt.exe
      C:\Temp\i_ecwuojgbzt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtoigaysnl.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2180
  - - C:\Temp\vtoigaysnl.exe
      C:\Temp\vtoigaysnl.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2880
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2300
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1884
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtoigaysnl.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2348
  - - C:\Temp\i_vtoigaysnl.exe
      C:\Temp\i_vtoigaysnl.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqljdbv.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:612
  - - C:\Temp\geywqljdbv.exe
      C:\Temp\geywqljdbv.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1516
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:268
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1280
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqljdbv.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2860
  - - C:\Temp\i_geywqljdbv.exe
      C:\Temp\i_geywqljdbv.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:608
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\lgdywqkida.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1364
  - - C:\Temp\lgdywqkida.exe
      C:\Temp\lgdywqkida.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2612
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1368
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1188
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_lgdywqkida.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1052
  - - C:\Temp\i_lgdywqkida.exe
      C:\Temp\i_lgdywqkida.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\aysnkfcxrp.exe

Filesize
361KB

MD5
310e0426a096924e42615442807a5f4b

SHA1
850cf75b6608f674ccf8c25d507a58cfdce47188

SHA256
43740fffb4e42dd6159277c26937d09b0330346836ba3e619786f594c896d8ea

SHA512
0f710806f3f47bd6772607b1e1a132e2e6cdfbf73357a78d54bd71407d7e9f53e177ee723356e75f2cb4c8c533ddaadf69948445223240a658ec4116e4d16166

Download Submit
C:\Temp\davtnifaysmkfcxr.exe

Filesize
361KB

MD5
dbfd64af3f997748ff63019043caac1a

SHA1
1e30343dcf4470251b037a10ea8879c18fd7536b

SHA256
19cce7f8808ab8580bc2e4785b571302b776b5c739c1509948e83a2a3b9b127c

SHA512
d9ae1d4a5e55d8060774ce5d2908f1e5c0c5957fb4b15f0dd6880fede1a89b68c30be2999029f6a14e62b157c1046e683b5b0b8777460481f8a0548a38bd069f

Download Submit
C:\Temp\ecwuojgbzt.exe

Filesize
361KB

MD5
9e3d8b50420b0a0ce75a6c8ce6a90db7

SHA1
36b8af5a4e87086237e477edd31549712c261810

SHA256
13618f3dd5c218f358ae1b3615574a8b98fa6186f1a0c175831fbf9bb1b99592

SHA512
a1f9f27f8d0b35cc5d24df652161a8ac361bfc680de9043fa0647bed99730372ec6d815489341a3213752efaf7d9916f9264b0dc12dc10c70883f4b95dc7c5a5

Download Submit
C:\Temp\geywqljdbv.exe

Filesize
361KB

MD5
d29455a0cf1026f7c5f484d6b945a4fa

SHA1
68498f49a0dddf01d33b72fbdf3663fbcf3d81d2

SHA256
10b3cbadf02069a48a8746c6c1679f1140b37d6aa8cf6126e91fdd70fc4ebb02

SHA512
29992389ba68de8f38a1a607eb480c401d0e2806310aa90382e6cce0d567f8ee870c32896468aa64db00a5b5337a2a4f5ca91d2d0e873a0657000b6061383794

Download Submit
C:\Temp\i_aysnkfcxrp.exe

Filesize
361KB

MD5
2aeb210244568052f4b21f139e7643c4

SHA1
91ff574295309bc9d69a5e6eb02217a4df2c2f5b

SHA256
85ed3ccc1f9334f22724bc911ed1a52ccd5d65aeb6dc4ede32bf3ac5f33d0697

SHA512
30f58feeb21a7f78f290939a7b8af58033f3be1c3c19b52ef20b27719f65883d6762bd5ee6034b2486162770420ba6c55757f065b8030480b9cf02e6ddb79345

Download Submit
C:\Temp\i_ecwuojgbzt.exe

Filesize
361KB

MD5
4d9fb444846a03478e63e0443de3ec89

SHA1
b31c021cd3b669bbd55dcf84a1005f4240d43178

SHA256
cb00c73bb694d480099a8e2be9cac7cb2c654b50ee05de21403bcfb987c6d024

SHA512
4deb0bab08d6062022430966756d8b9a72726ea52dc2bbbec4f6a3646dbe51559d663ab5127544ef29c4b1bcc6c36c77895453ad587b29462bb12639b04b652f

Download Submit
C:\Temp\i_geywqljdbv.exe

Filesize
361KB

MD5
2650b06b1ebc6ecac8833ee79aa17a21

SHA1
13482b5ba0a69119ebe79a0158e873657b4af5a2

SHA256
e7911c4ba444c05c068fe4cfa2f6599887a968206812917a877b58c52c729f72

SHA512
ad489115310eaa588974be64aafe01f4f756b328bc65b1c19ae5db2135e565d23f14ba5494286bffaea0ac9620728f254b30a8e93945c12880b675f4fda5cd9f

Download Submit
C:\Temp\i_lgdywqkida.exe

Filesize
361KB

MD5
930946a5bea9d6496d9ccf4b91dfb3b9

SHA1
b27bea14cdf4180880606afdf2f58b5ed6be309a

SHA256
b8c6a787808b8dec7a47383e2f41df6a840127ef7f30b7e97f2b72ab860483b0

SHA512
1fd4f3e91bd563c2646183a3ee5f8667095b764aa5c61029b348e588a4e77321c98bc085ea306a3578681f0e1fb2850d66c79b8f72b7e5f99033ba096e05f6cb

Download Submit
C:\Temp\i_tnhfaxsmkf.exe

Filesize
361KB

MD5
32e0d0f1eae628b5d063a7866ce4e228

SHA1
c115a2be8b848dd7aa0744d8c2d9c434ef47ef26

SHA256
c990df4bbbdddc2b26205054b2fe0c5e948e404509f27d0c9c279bcec546b4e5

SHA512
09d04a1655f4bb28da2f978c6d356b74aec2ec7c509321a666fb8755f1eb0ec26b031caac5a0f5c375ce5d0fa3b9420a3219e981e7d8ce556acfaa64179b6d82

Download Submit
C:\Temp\i_vtoigaysnl.exe

Filesize
361KB

MD5
31147acb1a298677fa3a0a993c775b62

SHA1
f1250ff29cf097c448648f2f5a44f921f7a2d1a3

SHA256
f146d8b9e181b9e4ef74a176b9b0357cf5109470049e4556bd60893431dd4751

SHA512
44a3bd98205587dac458f155452e7141a9a4041542616dd5b6b145c07ce0064ee22a384f47c10c53f231069c93237be0d090b1df1c4e928641b7aa5a3d4e88d1

Download Submit
C:\Temp\i_wtoigaytnl.exe

Filesize
361KB

MD5
4dd4c925c65545195f07d94a48c5ffa7

SHA1
5b54c5096bcb1490bf711d060273ba2a0747d847

SHA256
e63ffd2382d7ec9e2e9ada3990781acb05cc35e11d1b3d1687639b19ca94af2e

SHA512
b4b39ae1d6d584eb038bc4bd926088b3da7dc7a9ac5d4de21a68512ffbf805d1dcbb26e8a5c96158a26956c90befb4469440f2b88c7fb9b37d742a4a0d87a559

Download Submit
C:\Temp\lgdywqkida.exe

Filesize
361KB

MD5
b1eab05cb3d8c3fa3e956012b7d7b977

SHA1
90a065f30a7dc625f4d8b6aa8816783b533504e7

SHA256
581b2dd0c3ce57e620d74d288b55a413236d691e9929520a38c8913056c8f3ff

SHA512
e270dd0374d868e9f5efbe44502fe3aafcbea574fde20b127646a481f24e0fe28abb84ce92b620d90050d4ea1a720cdca97461e5d7d014c263d5a557b9ad6a34

Download Submit
C:\Temp\tnhfaxsmkf.exe

Filesize
361KB

MD5
de41e4e900e98b207040b196108c3038

SHA1
4184f1050de9c8738caac9f91fd8b79a6615195b

SHA256
1798fd67b9d912fb554f5693369faaa253d9ddb0ca556a11e64321bd89620b70

SHA512
652bbf2412fbeb76e914b7325ee68ff7929a3fecf8fe1455e9b06d18a82b5d9de196589948a4aea9460becd16d9da1b9202a725b507c3a1c947bd6ed6b3d0e97

Download Submit
C:\Temp\vtoigaysnl.exe

Filesize
361KB

MD5
daab80da944dd6a135dfe87a11d20421

SHA1
fbfbd10cc0294f5a530f32ca33a746d8bcfce9d6

SHA256
57c1d1cd47b4d4c17f7cdb6b8b15fbd6594e4f1d2ed5fbe2b8966a5028962743

SHA512
1ddc93647895c0840f2d5c47cf69c315baa058e7c93d15852f57f7b69895b50f030aca4d8cae57cbdafcc21c18aa6e0902c3e1a1052f62f2a879f969856fcfa3

Download Submit
C:\Temp\wtoigaytnl.exe

Filesize
361KB

MD5
b62502bfc14e9f0b3836da27e5387a81

SHA1
af7424bb39ae0ab96cedb0666512b4ff19bb98cd

SHA256
5ddd7058076fe52c7b389cfe60e87d531ebe37c7bd069c6651ec609399345952

SHA512
bbdad03e079bf26ae951643b2124c2b6ec41fc7218c651e5576880e0356eae0b12b7e07ba8674e4cc11c9f0ad53711b00a97eb1092feac9cefba09f83aa8a7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10715f5a692f25e9620780b4feb3a97b

SHA1
f53c05ae79c4744b5ba661743ac6214878a32d6f

SHA256
c4c18260c8f1bfee6f691decea426e27074c3082c9c23c5e3315fd213434c501

SHA512
be125380f27c97aebb139b60943a923086d37c5d6b0293ea1976ce98a7dc1caa051a75f73b43ac6d3280dd30cbedb954eb90c9a3457d356ebacd5ebe3499c100

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d1b375deb5e621dd36836edec40d585

SHA1
9c7efe408f46992823b1861d26bd7dd4af1546e3

SHA256
63d68122aad6efec3e95efcc724119d95b3424bcecfcea8a451b9692a33d14e4

SHA512
169f9c315406b52a27b046a6a1a273b9d2ad7cef5838865ec9cd8b4521c981e4da5ab7335c9a8689149dde915ccfb7fe99642ca43ea73f391f6485966a2ee18a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1b4cc59c3cec881ece01ff516782e33

SHA1
37ba877d75975f64810dc51fc55d8fdedeef6bca

SHA256
fad043de812fd687d4484a343ab613ceaad6e611081fdc059f1cd0b03b293c08

SHA512
20a5d37d028384eeb24dc82700ff355dadcb9dafab888165bb647da5ee6bda43b91044cf9096fc4c86abf8124b58011204daa34ebdb0c6a2ecaaac8c1c4d1a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f553e0865796ec5f82da1a4f38ba6ccb

SHA1
62bbc1bb88c4bb1d5f574db574145d4dfe8997d4

SHA256
1416c6ca22490e33df2f7463a809a4b247a36b882fa308e214bcf9c5172a6aab

SHA512
cb8d61e166875685a40d2cb8e2993dc6ac3ccf627d5309ba79ff4546197d93ca7afc108461c9178fc5d5af030bddf43903a1c60291afd892d6036aa6e1462866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cad1254754cb7da0a8d4a24b0ca2f5f

SHA1
6c066af10105a32f79f2abd895defd1a3a7837ae

SHA256
6c39812ce1bb1e10b1dac71e821edc3c3c0604a9d3d1f892688918b7186e5d63

SHA512
b431f1ab5ee5c679ae64d3647d892e995c659e9a619a1a7ac4180b7e71115addd08062b3ea902e69c49d494c84a508929d1b52e136ed548b133764dfdd3e270b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE775.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE824.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\temp\CreateProcess.exe

Filesize
3KB

MD5
1d8330b7f2c3661f22b1a6f1a8cde24f

SHA1
6bc02ccabf45bc330dcd830a98f9971a7e2d20ea

SHA256
1c713bf60e299bb2999991d5b06501941526d1ab7da97c776192bca89de271a5

SHA512
42829c074b19c89615eadee10980734e445f055f0b3714a49df000217e03d7600e3e0ae10c10b60463d6bc6bb3903038e0f006ad4a1ae1e342d125b67a09f8b4

Download Submit