6b7b2c2f406c7366a787f06e8af1dcd7fab51658673ea2b5a9934a34478762a8

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
Size

412KB
MD5

3fc6ba07521ce14e69f2fc2fb4f69d6b
SHA1

865045b3bd8b49e675aff460c993fc79af1b94a7
SHA256

6b7b2c2f406c7366a787f06e8af1dcd7fab51658673ea2b5a9934a34478762a8
SHA512

f9ce1b7bbe581a066bf8b1098729f98049cfc223fdeb68dfec2083b5b21bb2537628b88321cf40089361fa68d4636b713c5c652f862a4e5bbdf60ea7c019c533
SSDEEP

12288:LEv1PnyMvotKR3yDoPMVGHTsqItqaXljnnIbnI6stkArNEXS2cNgbusSMU:LEhI62NWXncNgbusSMU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	drmam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	HQqGkIT8.exe

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2672	HQqGkIT8.exe
2140	drmam.exe
2632	2tej.exe
2544	2tej.exe
1688	3tej.exe
1632	4tej.exe
336	csrss.exe

Loads dropped DLL 17 IoCs

pid	Process
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
2672	HQqGkIT8.exe
2672	HQqGkIT8.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-40-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-42-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-46-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-50-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-49-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-51-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-52-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /h"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /D"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /F"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /j"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /t"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /b"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /w"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /n"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /o"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /E"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /B"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /p"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /Z"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /i"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /L"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /d"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /K"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /V"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /u"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /X"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /l"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /e"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /H"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /O"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /P"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /G"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /U"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /S"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /W"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /T"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /R"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /J"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /I"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /f"	HQqGkIT8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /z"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /s"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /a"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /g"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /x"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /N"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /C"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /M"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /k"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /v"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /r"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /q"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /c"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /f"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /m"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /Q"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /Y"	drmam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\drmam = "C:\\Users\\Admin\\drmam.exe /A"	drmam.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2544	2632	2tej.exe	34
PID 1688 set thread context of 1056	1688	3tej.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2544	WerFault.exe	34

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2748	tasklist.exe
1828	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	HQqGkIT8.exe
2672	HQqGkIT8.exe
2140	drmam.exe
2140	drmam.exe
1688	3tej.exe
1688	3tej.exe
1688	3tej.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe
2140	drmam.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	1688	3tej.exe
Token: SeDebugPrivilege	1688	3tej.exe
Token: SeDebugPrivilege	1828	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
2672	HQqGkIT8.exe
2140	drmam.exe
2632	2tej.exe
1632	4tej.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2672	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	28
PID 1512 wrote to memory of 2672	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	28
PID 1512 wrote to memory of 2672	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	28
PID 1512 wrote to memory of 2672	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	28
PID 2672 wrote to memory of 2140	2672	HQqGkIT8.exe	29
PID 2672 wrote to memory of 2140	2672	HQqGkIT8.exe	29
PID 2672 wrote to memory of 2140	2672	HQqGkIT8.exe	29
PID 2672 wrote to memory of 2140	2672	HQqGkIT8.exe	29
PID 2672 wrote to memory of 3060	2672	HQqGkIT8.exe	30
PID 2672 wrote to memory of 3060	2672	HQqGkIT8.exe	30
PID 2672 wrote to memory of 3060	2672	HQqGkIT8.exe	30
PID 2672 wrote to memory of 3060	2672	HQqGkIT8.exe	30
PID 3060 wrote to memory of 2748	3060	cmd.exe	32
PID 3060 wrote to memory of 2748	3060	cmd.exe	32
PID 3060 wrote to memory of 2748	3060	cmd.exe	32
PID 3060 wrote to memory of 2748	3060	cmd.exe	32
PID 1512 wrote to memory of 2632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	33
PID 1512 wrote to memory of 2632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	33
PID 1512 wrote to memory of 2632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	33
PID 1512 wrote to memory of 2632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	33
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2632 wrote to memory of 2544	2632	2tej.exe	34
PID 2544 wrote to memory of 2780	2544	2tej.exe	36
PID 2544 wrote to memory of 2780	2544	2tej.exe	36
PID 2544 wrote to memory of 2780	2544	2tej.exe	36
PID 2544 wrote to memory of 2780	2544	2tej.exe	36
PID 1512 wrote to memory of 1688	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	37
PID 1512 wrote to memory of 1688	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	37
PID 1512 wrote to memory of 1688	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	37
PID 1512 wrote to memory of 1688	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	37
PID 1688 wrote to memory of 1344	1688	3tej.exe	21
PID 1512 wrote to memory of 1632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	40
PID 1512 wrote to memory of 1632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	40
PID 1512 wrote to memory of 1632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	40
PID 1512 wrote to memory of 1632	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	40
PID 1688 wrote to memory of 336	1688	3tej.exe	3
PID 1688 wrote to memory of 1056	1688	3tej.exe	41
PID 1688 wrote to memory of 1056	1688	3tej.exe	41
PID 1688 wrote to memory of 1056	1688	3tej.exe	41
PID 1688 wrote to memory of 1056	1688	3tej.exe	41
PID 1688 wrote to memory of 1056	1688	3tej.exe	41
PID 1512 wrote to memory of 1540	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	43
PID 1512 wrote to memory of 1540	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	43
PID 1512 wrote to memory of 1540	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	43
PID 1512 wrote to memory of 1540	1512	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	43
PID 1540 wrote to memory of 1828	1540	cmd.exe	45
PID 1540 wrote to memory of 1828	1540	cmd.exe	45
PID 1540 wrote to memory of 1828	1540	cmd.exe	45
PID 1540 wrote to memory of 1828	1540	cmd.exe	45
PID 2140 wrote to memory of 1828	2140	drmam.exe	45
PID 2140 wrote to memory of 1828	2140	drmam.exe	45
PID 336 wrote to memory of 840	336	csrss.exe	10

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:840

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
  "C:\Users\Admin\AppData\Local\Temp\3fc6ba07521ce14e69f2fc2fb4f69d6b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\HQqGkIT8.exe
    C:\Users\Admin\HQqGkIT8.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\drmam.exe
      "C:\Users\Admin\drmam.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del HQqGkIT8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
- - C:\Users\Admin\2tej.exe
    C:\Users\Admin\2tej.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\2tej.exe
      "C:\Users\Admin\2tej.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 88
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2780
- - C:\Users\Admin\3tej.exe
    C:\Users\Admin\3tej.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1056
- - C:\Users\Admin\4tej.exe
    C:\Users\Admin\4tej.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
2701565e7668aaa462189c7c0f46e4b1

SHA1
f56e3d88e3d7740e8a7be5e2277d8cef70cd7780

SHA256
f05ec7e7d4034c3e14e39ac96d031f5d13aed2b225e3950ebaa37f891b46b861

SHA512
29f6ffceedb5c996d4fda35394ce7eedc17667964e540c8f34eb9b0e02c5f080209dcd3d5b4f817eff2a9165c6864feaf63ad56e1bbb3a1181da5a5aeb02529c

Download Submit
\Users\Admin\2tej.exe

Filesize
64KB

MD5
1b98630662dace204c7a75ac06ab322f

SHA1
f2ebc161d140ce66753f49bf505060216996cdd2

SHA256
88cec7cae39b32f0efa22677b747b6361d70ae8768553e57a8c6ae85b8965650

SHA512
430db374527ff2cc413fe1d2635aa0c1afe3aab3a7e8595988cc2a9816e9b0c1d7b5a9b863f77ed6ed27a718fd08bc6582a8a00b022de23209ce89a93aa524e0

Download Submit
\Users\Admin\3tej.exe

Filesize
204KB

MD5
666d8f00ccb49a2a23b174aa89c06ec2

SHA1
150f8e4aa5fbfb0df6f33a44885e46d43e789800

SHA256
c5d928569c84226a1737d057354a31e5019b464fb7093f1780e5116b486d5e5a

SHA512
0615f336b637db2041331660a98ebae4d36412c4bca64bb268f87cd20160ddf8a11eba097cd19333f1084bf81808b5e6647364cc88e87f85fa1848686881295f

Download Submit
\Users\Admin\4tej.exe

Filesize
44KB

MD5
a60c9c8d5563e0004be44141724b18c9

SHA1
b48757d94346720a169e1e13f0c58d7607040b84

SHA256
98f93a5fb1a578891416f057159de059e1a67228ac3c9e1196ff84706d594d2d

SHA512
bf26c8ec4a916e9dbbbdd881f2f598c4e2f6d560f1ccf27cd36377134c4c12c6505d0a00ab4e779a3b8b44021c2ec85658440b4e44d713fda86b6cdaa20bcb88

Download Submit
\Users\Admin\HQqGkIT8.exe

Filesize
292KB

MD5
f303cad3eb27fbe3210de3ceba0c383a

SHA1
2d6ee904f441820825872e6a1c25602bbc3f4fc7

SHA256
27ad34b399adb9be6b710ea1c3e43924d352f12b28459f5bbf1a4e99d62ab134

SHA512
b3cde21a385943fd5c5768dc842769307eef749c26847ca6109bb0ffe866fdbe6fd8f8564aa6390fddc5ce70371b342da9bfc37b6dd934f3b3d0a315e7476b0d

Download Submit
\Users\Admin\drmam.exe

Filesize
292KB

MD5
bd05f5a99233cc3a74adfa27cf98e078

SHA1
14dae9606de96dadab7f967568d5e8538a0ce393

SHA256
3517d2079bc6a1948f8d371d60d1e28c4cccddcfdf8c302d8621f7754d964018

SHA512
d7bc466a1e9ea0019290629b4aa94e3e4efe04ed8608d69ca52c8aa4d4598b32a5c76e5eb7ca1fcb14015f71f5e5510b38e142f50429b69b1091acb3caf449ed

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
6bf2039986af96d98e08824ac6c383fd

SHA1
0bb6384656a96943cb427baa92446f987219a02e

SHA256
a3e03454ff636f4cdd0a95b856ea9e7857cd3ce0fd2bc6d528ab45781349103f

SHA512
fae378badcd6b45d69705d11fe5feb2d9f93fa444249c13aff9b150359ffdbcfe2b160731e193d3e19b6eef18d2ef01de41549a1c2bbdf59501f901511f9068e

Download Submit
memory/336-110-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/336-111-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/336-108-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/336-116-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/336-121-0x0000000001FD0000-0x0000000001FE1000-memory.dmp

Filesize
68KB

Download
memory/840-136-0x00000000009D0000-0x00000000009DB000-memory.dmp

Filesize
44KB

Download
memory/840-124-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/840-125-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/840-129-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/840-133-0x00000000009C0000-0x00000000009CB000-memory.dmp

Filesize
44KB

Download
memory/840-134-0x00000000009D0000-0x00000000009DB000-memory.dmp

Filesize
44KB

Download
memory/840-139-0x00000000009D0000-0x00000000009DB000-memory.dmp

Filesize
44KB

Download
memory/1344-78-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1344-73-0x00000000025A0000-0x00000000025A2000-memory.dmp

Filesize
8KB

Download
memory/1344-74-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1344-82-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/1512-118-0x0000000002B30000-0x00000000035EA000-memory.dmp

Filesize
10.7MB

Download
memory/1688-69-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1688-88-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1688-106-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1688-71-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1688-72-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1688-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1688-85-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1688-68-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1688-84-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/2544-52-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-51-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-49-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-46-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-40-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download