e46e71e8c6cda6f143dfcc6a319badd0add38b3e25a4d6fddae59b17bd512ee4

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d6258aff21a972ac848fcbc0da64cf3.exe
Size

96KB
MD5

3d6258aff21a972ac848fcbc0da64cf3
SHA1

10071a7805bbef129c549201a75cb812263536a6
SHA256

e46e71e8c6cda6f143dfcc6a319badd0add38b3e25a4d6fddae59b17bd512ee4
SHA512

71be70c461d02cd4b171b7f0c25220fe8f1eed3af27e9e0b14703ad158bf9771769639d1296c3ba2e472bc402373a05a11e6a37ebdca6e067cdcccaf6bd730ca
SSDEEP

1536:BVsieIi8aA0a2uIU+OBTiaTJn8etNNOhj/85Wa1sqARs9LJK0R+:BRez8JPIU5Tlnrtv47qMoo0R+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2892	26EDC.exe
2660	26EDC.exe
1656	D494F.exe

Loads dropped DLL 8 IoCs

pid	Process
1476	3d6258aff21a972ac848fcbc0da64cf3.exe
1476	3d6258aff21a972ac848fcbc0da64cf3.exe
2660	26EDC.exe
2660	26EDC.exe
1656	D494F.exe
1656	D494F.exe
1656	D494F.exe
1656	D494F.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	26EDC.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\XTCR55WI.txt	D494F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\NDTHVSCE.txt	D494F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V0V2961N.txt	D494F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8NBOBDX.htm	D494F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V0V2961N.txt	D494F.exe
File opened for modification	C:\Windows\SysWOW64\26EDC.exe	3d6258aff21a972ac848fcbc0da64cf3.exe
File opened for modification	C:\Windows\SysWOW64\D494F.exe	26EDC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	D494F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\VM8H8L8O.txt	D494F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\NDTHVSCE.txt	D494F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\VM8H8L8O.txt	D494F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\XTCR55WI.txt	D494F.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ae-1f-63-e5-99\WpadDecisionReason = "1"	D494F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ae-1f-63-e5-99\WpadDecisionTime = 604514a0d33cda01	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}\a6-ae-1f-63-e5-99	D494F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	D494F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}	D494F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}\WpadDecisionTime = 604514a0d33cda01	D494F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0046000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}\WpadDecisionReason = "1"	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ae-1f-63-e5-99	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	D494F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	D494F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}\WpadNetworkName = "Network 3"	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ae-1f-63-e5-99\WpadDecision = "0"	D494F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	D494F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	D494F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	D494F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF7E24-F595-48BF-A1F8-E137B02D4FF8}\WpadDecision = "0"	D494F.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	D494F.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	D494F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	D494F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	D494F.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1476	3d6258aff21a972ac848fcbc0da64cf3.exe
2892	26EDC.exe
2660	26EDC.exe
1656	D494F.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2892	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	27
PID 1476 wrote to memory of 2892	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	27
PID 1476 wrote to memory of 2892	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	27
PID 1476 wrote to memory of 2892	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	27
PID 2892 wrote to memory of 2740	2892	26EDC.exe	26
PID 2892 wrote to memory of 2740	2892	26EDC.exe	26
PID 2892 wrote to memory of 2740	2892	26EDC.exe	26
PID 2892 wrote to memory of 2740	2892	26EDC.exe	26
PID 1476 wrote to memory of 2068	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	24
PID 1476 wrote to memory of 2068	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	24
PID 1476 wrote to memory of 2068	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	24
PID 1476 wrote to memory of 2068	1476	3d6258aff21a972ac848fcbc0da64cf3.exe	24
PID 2740 wrote to memory of 2820	2740	cmd.exe	23
PID 2740 wrote to memory of 2820	2740	cmd.exe	23
PID 2740 wrote to memory of 2820	2740	cmd.exe	23
PID 2740 wrote to memory of 2820	2740	cmd.exe	23
PID 2068 wrote to memory of 2604	2068	cmd.exe	21
PID 2068 wrote to memory of 2604	2068	cmd.exe	21
PID 2068 wrote to memory of 2604	2068	cmd.exe	21
PID 2068 wrote to memory of 2604	2068	cmd.exe	21
PID 2820 wrote to memory of 2612	2820	net.exe	20
PID 2820 wrote to memory of 2612	2820	net.exe	20
PID 2820 wrote to memory of 2612	2820	net.exe	20
PID 2820 wrote to memory of 2612	2820	net.exe	20
PID 2604 wrote to memory of 2656	2604	net.exe	19
PID 2604 wrote to memory of 2656	2604	net.exe	19
PID 2604 wrote to memory of 2656	2604	net.exe	19
PID 2604 wrote to memory of 2656	2604	net.exe	19
PID 2660 wrote to memory of 2680	2660	26EDC.exe	17
PID 2660 wrote to memory of 2680	2660	26EDC.exe	17
PID 2660 wrote to memory of 2680	2660	26EDC.exe	17
PID 2660 wrote to memory of 2680	2660	26EDC.exe	17
PID 2680 wrote to memory of 1732	2680	cmd.exe	15
PID 2680 wrote to memory of 1732	2680	cmd.exe	15
PID 2680 wrote to memory of 1732	2680	cmd.exe	15
PID 2680 wrote to memory of 1732	2680	cmd.exe	15
PID 1732 wrote to memory of 3040	1732	net.exe	14
PID 1732 wrote to memory of 3040	1732	net.exe	14
PID 1732 wrote to memory of 3040	1732	net.exe	14
PID 1732 wrote to memory of 3040	1732	net.exe	14
PID 2660 wrote to memory of 1656	2660	26EDC.exe	42
PID 2660 wrote to memory of 1656	2660	26EDC.exe	42
PID 2660 wrote to memory of 1656	2660	26EDC.exe	42
PID 2660 wrote to memory of 1656	2660	26EDC.exe	42

C:\Users\Admin\AppData\Local\Temp\3d6258aff21a972ac848fcbc0da64cf3.exe
"C:\Users\Admin\AppData\Local\Temp\3d6258aff21a972ac848fcbc0da64cf3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 26EDC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- C:\Windows\SysWOW64\26EDC.exe
  C:\Windows\system32\26EDC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 26EDC
1⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net start 26EDC
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c "net start 26EDC"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\26EDC.exe
C:\Windows\SysWOW64\26EDC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\D494F.exe
  C:\Windows\system32\D494F.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 26EDC
1⤵
PID:2656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start 26EDC
1⤵
PID:2612

C:\Windows\SysWOW64\net.exe
net start 26EDC
1⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\net.exe
net start 26EDC
1⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c "net start 26EDC"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\26EDC.exe

Filesize
96KB

MD5
3d6258aff21a972ac848fcbc0da64cf3

SHA1
10071a7805bbef129c549201a75cb812263536a6

SHA256
e46e71e8c6cda6f143dfcc6a319badd0add38b3e25a4d6fddae59b17bd512ee4

SHA512
71be70c461d02cd4b171b7f0c25220fe8f1eed3af27e9e0b14703ad158bf9771769639d1296c3ba2e472bc402373a05a11e6a37ebdca6e067cdcccaf6bd730ca

Download Submit
C:\Windows\SysWOW64\D494F.exe

Filesize
92KB

MD5
a25d6bcc5e83d8668bb465af4e465c5e

SHA1
93ff26261aff15c3263df4c0246852e838c54a8c

SHA256
b759bb2fd3751186cc6c2988faa23f9f27b66f56dc008a6d45e3239a266bd4e6

SHA512
3f998eee5205df3166b1d2538a3095a40704ed00b06b4195c6ee7ea696dcc2a2833a7493e61ad729856aa524e7bb2a1fa976b99f46dde93ef428b17282a3dd95

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
92KB

MD5
c375a79c5b71d9ea66c0f7d307062d50

SHA1
989ba225501aab3402b7883edeb7927c32e281f8

SHA256
55dee621e9890672484946fd3a3097c4cf0d303a6d50fa598baac2c5a4352de4

SHA512
99e48fa3ba99775213a8d5d5f35104b7d4a055483b78a520b0d3af887d84182c2608022875fb82cadadd06be0f0409a8866aaf6dfaaf8b32524095aaa8c41d85

Download Submit
\Windows\SysWOW64\D494F.exe

Filesize
98KB

MD5
ff0bfbcd96ed5890ea32d9fd1ed5ebc2

SHA1
3a2f5814bf3b8fdfa3a7dd34291e4800dd0f46bc

SHA256
9c9f5a1cce939c29170b2056b084503b16e8fb30dabd59db757e6bf23358dbea

SHA512
6fcbbf77c0017879b50d34400dbb65bb79ca8aabec9f2c66c78199baf82616728d8df91e8d98f6505c10ad720d792523e23d9fc6f38f8ed4a4e9ce0981e8766a

Download Submit
memory/1476-18-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1476-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1476-12-0x0000000000240000-0x0000000000288000-memory.dmp

Filesize
288KB

Download
memory/1476-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2660-22-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2660-23-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2660-41-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2892-17-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2892-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2892-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download