3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6

Analysis

max time kernel
162s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12ce865f30cf09fb1695d51e65f4a3b4.exe
Size

460KB
MD5

12ce865f30cf09fb1695d51e65f4a3b4
SHA1

582b66806b08e0b02bf4fc4dd4dfdca200c7cc20
SHA256

3d5f832d20a62ba11f9c5cad7202bdd16e711f13ddb95f37654bf0eb01c300b6
SHA512

5d7a64cb3a0f6cec3603f84d9ce645a3de9eb80bc4de2a8974fcabc8593ba03fa370fd47f15af097e35061eb33ee214b10ca3fa69412080f71392066983a32ca
SSDEEP

12288:WlSt6oIHNOhU5O5TYo4XqTig5GSR9CClDDL:WlSt69HNx6T/5xT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	iBdqphzke5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fueyiof.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	iBdqphzke5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	12ce865f30cf09fb1695d51e65f4a3b4.exe

Executes dropped EXE 6 IoCs

pid	Process
4652	iBdqphzke5.exe
4028	astat.exe
3316	astat.exe
456	dstat.exe
388	fueyiof.exe
4088	fstat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-17-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3316-20-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3316-22-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3316-23-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /m"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /i"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /A"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /D"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /X"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /U"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /R"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /d"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /a"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /p"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /B"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /V"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /Q"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /q"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /h"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /L"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /n"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /E"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /T"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /H"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /o"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /x"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /N"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /I"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /M"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /r"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /C"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /Y"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /K"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /F"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /e"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /w"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /g"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /f"	iBdqphzke5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /b"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /J"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /G"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /j"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /O"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /c"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /Z"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /u"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /k"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /t"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /v"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /z"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /y"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /W"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /f"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /l"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /s"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /P"	fueyiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fueyiof = "C:\\Users\\Admin\\fueyiof.exe /S"	fueyiof.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 3316	4028	astat.exe	95
PID 4088 set thread context of 4860	4088	fstat.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4768	tasklist.exe
4148	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	iBdqphzke5.exe
4652	iBdqphzke5.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
4652	iBdqphzke5.exe
4652	iBdqphzke5.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
388	fueyiof.exe
388	fueyiof.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
388	fueyiof.exe
388	fueyiof.exe
388	fueyiof.exe
388	fueyiof.exe
388	fueyiof.exe
388	fueyiof.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe
3316	astat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	tasklist.exe
Token: SeDebugPrivilege	4088	fstat.exe
Token: SeDebugPrivilege	4148	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5020	12ce865f30cf09fb1695d51e65f4a3b4.exe
4652	iBdqphzke5.exe
4028	astat.exe
456	dstat.exe
388	fueyiof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4652	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	91
PID 5020 wrote to memory of 4652	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	91
PID 5020 wrote to memory of 4652	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	91
PID 5020 wrote to memory of 4028	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 5020 wrote to memory of 4028	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 5020 wrote to memory of 4028	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	94
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 4028 wrote to memory of 3316	4028	astat.exe	95
PID 5020 wrote to memory of 456	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	96
PID 5020 wrote to memory of 456	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	96
PID 5020 wrote to memory of 456	5020	12ce865f30cf09fb1695d51e65f4a3b4.exe	96
PID 4652 wrote to memory of 388	4652	iBdqphzke5.exe	99
PID 4652 wrote to memory of 388	4652	iBdqphzke5.exe	99
PID 4652 wrote to memory of 388	4652	iBdqphzke5.exe	99
PID 4652 wrote to memory of 3512	4652	iBdqphzke5.exe	100
PID 4652 wrote to memory of 3512	4652	iBdqphzke5.exe	100
PID 4652 wrote to memory of 3512	4652	iBdqphzke5.exe	100
PID 3512 wrote to memory of 4768	3512	cmd.exe	102
PID 3512 wrote to memory of 4768	3512	cmd.exe	102
PID 3512 wrote to memory of 4768	3512	cmd.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102
PID 388 wrote to memory of 4768	388	fueyiof.exe	102

C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe
"C:\Users\Admin\AppData\Local\Temp\12ce865f30cf09fb1695d51e65f4a3b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\iBdqphzke5.exe
  C:\Users\Admin\iBdqphzke5.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\fueyiof.exe
    "C:\Users\Admin\fueyiof.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del iBdqphzke5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- C:\Users\Admin\astat.exe
  C:\Users\Admin\astat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\astat.exe
    "C:\Users\Admin\astat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3316
- C:\Users\Admin\dstat.exe
  C:\Users\Admin\dstat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:456
- C:\Users\Admin\fstat.exe
  C:\Users\Admin\fstat.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 12ce865f30cf09fb1695d51e65f4a3b4.exe
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\astat.exe

Filesize
60KB

MD5
87c6498966e3f85fac743c89050aa312

SHA1
05c165c34cbfa14e4925c33ace81992b0f50a2b5

SHA256
30c8328585e41968aff773da16cedbe590dcefd293c7fa74a69c557ecbf2c3c5

SHA512
740f7159ee78f73e57c92e583b8c4f97c5dd49b68b9c321da976d7e318819daa28e8dfc76e95e1e3ccee643dc464324c40b481d1849863e287d826adb577b420

Download Submit
C:\Users\Admin\dstat.exe

Filesize
36KB

MD5
b6da847084e39e0cecf175c32c91b4bb

SHA1
fbfd9494fabed5220cdf01866ff088fe7adc535b

SHA256
065781e8a55cf59cb926d5950e0039e19b50b1e081023404fbff4d7a32fc9cbe

SHA512
59d372ea36904cd48c99f2f34740c22004b35c5e5dada2417813b0463292af19e4aa5ba4552cc443da373e40ba03a1f7906019a567806806f5972c202a31d9d2

Download Submit
C:\Users\Admin\fstat.exe

Filesize
271KB

MD5
34353cf7e1d1b10bcbbcae0745110535

SHA1
2fb471681daac6f6d66477b7772025da4f58c508

SHA256
b2d7a66e2d10d8943e48d6f3ad75237ff379e82ab0101a620406c4569be1d959

SHA512
7404f82abfabd21d6f2a88b55f6f0ff886bb0a1f16a9d45c6883d74daa26451f862a10a78646c549c3a3264ba4bd9fb44949d470493af895973dd05a0ec311e6

Download Submit
C:\Users\Admin\fueyiof.exe

Filesize
244KB

MD5
38591f5f765a32da10bb2c668c54e12f

SHA1
8107784738edf84876740d0183672148ee92314b

SHA256
dff68c10b5ca998305236972817ea22847f13611370d0d8508d0f7207bffddfe

SHA512
08601affc0a397589e3b2c24249bd83ae2e96b87e8387b63517b0fe885ee49c3ec463337304e30ce4bb4d29aa4c6d8c25092dd538d9c05ff737a201a2ebb7506

Download Submit
C:\Users\Admin\iBdqphzke5.exe

Filesize
244KB

MD5
a4cdb62cf4866a17e742e7e9cc73d237

SHA1
30d94f8e872455ac569949ac4c768d0a0cdfbba7

SHA256
c741d649bf5b72fbe97470820ce994ce29b153baae14af10c3a2a9adc3098b32

SHA512
c4447f95565d3e5dc0ef7712382325280bedf127ac682f85f4043b586afb4188633f2c73277595eb31fe45d992107492f42c82a71f448286a9cb8fac4bfb3671

Download Submit
memory/3316-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3316-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3316-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3316-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4088-76-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4088-77-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-78-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-79-0x0000000002840000-0x0000000002886000-memory.dmp

Filesize
280KB

Download
memory/4088-80-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/4088-82-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-84-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-85-0x0000000002840000-0x0000000002886000-memory.dmp

Filesize
280KB

Download