6b7b2c2f406c7366a787f06e8af1dcd7fab51658673ea2b5a9934a34478762a8

Analysis

max time kernel
152s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
Size

412KB
MD5

3fc6ba07521ce14e69f2fc2fb4f69d6b
SHA1

865045b3bd8b49e675aff460c993fc79af1b94a7
SHA256

6b7b2c2f406c7366a787f06e8af1dcd7fab51658673ea2b5a9934a34478762a8
SHA512

f9ce1b7bbe581a066bf8b1098729f98049cfc223fdeb68dfec2083b5b21bb2537628b88321cf40089361fa68d4636b713c5c652f862a4e5bbdf60ea7c019c533
SSDEEP

12288:LEv1PnyMvotKR3yDoPMVGHTsqItqaXljnnIbnI6stkArNEXS2cNgbusSMU:LEhI62NWXncNgbusSMU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	HQqGkIT8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bacaz.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	HQqGkIT8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe

Executes dropped EXE 6 IoCs

pid	Process
2700	HQqGkIT8.exe
3444	2tej.exe
4668	2tej.exe
940	bacaz.exe
1372	3tej.exe
3000	4tej.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4668-17-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4668-20-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4668-21-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4668-22-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /z"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /o"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /Z"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /K"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /k"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /j"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /H"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /S"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /E"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /B"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /L"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /m"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /i"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /w"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /F"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /l"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /b"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /x"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /V"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /X"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /I"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /y"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /e"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /f"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /s"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /A"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /R"	HQqGkIT8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /D"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /Y"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /J"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /h"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /p"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /O"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /N"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /Q"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /t"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /d"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /T"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /c"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /R"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /a"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /G"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /U"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /C"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /r"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /P"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /u"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /W"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /M"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /g"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /v"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /q"	bacaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bacaz = "C:\\Users\\Admin\\bacaz.exe /n"	bacaz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 4668	3444	2tej.exe	97
PID 1372 set thread context of 4644	1372	3tej.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1788	tasklist.exe
2448	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	HQqGkIT8.exe
2700	HQqGkIT8.exe
4668	2tej.exe
4668	2tej.exe
2700	HQqGkIT8.exe
2700	HQqGkIT8.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
1372	3tej.exe
1372	3tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
940	bacaz.exe
940	bacaz.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe
4668	2tej.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	tasklist.exe
Token: SeDebugPrivilege	1372	3tej.exe
Token: SeDebugPrivilege	1372	3tej.exe
Token: SeDebugPrivilege	2448	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
2700	HQqGkIT8.exe
3444	2tej.exe
940	bacaz.exe
3000	4tej.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2700	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	91
PID 4528 wrote to memory of 2700	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	91
PID 4528 wrote to memory of 2700	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	91
PID 4528 wrote to memory of 3444	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	96
PID 4528 wrote to memory of 3444	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	96
PID 4528 wrote to memory of 3444	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	96
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 3444 wrote to memory of 4668	3444	2tej.exe	97
PID 2700 wrote to memory of 940	2700	HQqGkIT8.exe	98
PID 2700 wrote to memory of 940	2700	HQqGkIT8.exe	98
PID 2700 wrote to memory of 940	2700	HQqGkIT8.exe	98
PID 2700 wrote to memory of 4752	2700	HQqGkIT8.exe	99
PID 2700 wrote to memory of 4752	2700	HQqGkIT8.exe	99
PID 2700 wrote to memory of 4752	2700	HQqGkIT8.exe	99
PID 4752 wrote to memory of 1788	4752	cmd.exe	101
PID 4752 wrote to memory of 1788	4752	cmd.exe	101
PID 4752 wrote to memory of 1788	4752	cmd.exe	101
PID 4528 wrote to memory of 1372	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	102
PID 4528 wrote to memory of 1372	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	102
PID 4528 wrote to memory of 1372	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	102
PID 940 wrote to memory of 1788	940	bacaz.exe	101
PID 940 wrote to memory of 1788	940	bacaz.exe	101
PID 1372 wrote to memory of 4644	1372	3tej.exe	104
PID 1372 wrote to memory of 4644	1372	3tej.exe	104
PID 1372 wrote to memory of 4644	1372	3tej.exe	104
PID 1372 wrote to memory of 4644	1372	3tej.exe	104
PID 4528 wrote to memory of 3000	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	107
PID 4528 wrote to memory of 3000	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	107
PID 4528 wrote to memory of 3000	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	107
PID 4528 wrote to memory of 1048	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	113
PID 4528 wrote to memory of 1048	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	113
PID 4528 wrote to memory of 1048	4528	3fc6ba07521ce14e69f2fc2fb4f69d6b.exe	113
PID 1048 wrote to memory of 2448	1048	cmd.exe	115
PID 1048 wrote to memory of 2448	1048	cmd.exe	115
PID 1048 wrote to memory of 2448	1048	cmd.exe	115
PID 940 wrote to memory of 2448	940	bacaz.exe	115
PID 940 wrote to memory of 2448	940	bacaz.exe	115

C:\Users\Admin\AppData\Local\Temp\3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
"C:\Users\Admin\AppData\Local\Temp\3fc6ba07521ce14e69f2fc2fb4f69d6b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\HQqGkIT8.exe
  C:\Users\Admin\HQqGkIT8.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\bacaz.exe
    "C:\Users\Admin\bacaz.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del HQqGkIT8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- C:\Users\Admin\2tej.exe
  C:\Users\Admin\2tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Users\Admin\2tej.exe
    "C:\Users\Admin\2tej.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4668
- C:\Users\Admin\3tej.exe
  C:\Users\Admin\3tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4644
- C:\Users\Admin\4tej.exe
  C:\Users\Admin\4tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 3fc6ba07521ce14e69f2fc2fb4f69d6b.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2tej.exe

Filesize
64KB

MD5
1b98630662dace204c7a75ac06ab322f

SHA1
f2ebc161d140ce66753f49bf505060216996cdd2

SHA256
88cec7cae39b32f0efa22677b747b6361d70ae8768553e57a8c6ae85b8965650

SHA512
430db374527ff2cc413fe1d2635aa0c1afe3aab3a7e8595988cc2a9816e9b0c1d7b5a9b863f77ed6ed27a718fd08bc6582a8a00b022de23209ce89a93aa524e0

Download Submit
C:\Users\Admin\3tej.exe

Filesize
204KB

MD5
666d8f00ccb49a2a23b174aa89c06ec2

SHA1
150f8e4aa5fbfb0df6f33a44885e46d43e789800

SHA256
c5d928569c84226a1737d057354a31e5019b464fb7093f1780e5116b486d5e5a

SHA512
0615f336b637db2041331660a98ebae4d36412c4bca64bb268f87cd20160ddf8a11eba097cd19333f1084bf81808b5e6647364cc88e87f85fa1848686881295f

Download Submit
C:\Users\Admin\4tej.exe

Filesize
44KB

MD5
a60c9c8d5563e0004be44141724b18c9

SHA1
b48757d94346720a169e1e13f0c58d7607040b84

SHA256
98f93a5fb1a578891416f057159de059e1a67228ac3c9e1196ff84706d594d2d

SHA512
bf26c8ec4a916e9dbbbdd881f2f598c4e2f6d560f1ccf27cd36377134c4c12c6505d0a00ab4e779a3b8b44021c2ec85658440b4e44d713fda86b6cdaa20bcb88

Download Submit
C:\Users\Admin\HQqGkIT8.exe

Filesize
292KB

MD5
f303cad3eb27fbe3210de3ceba0c383a

SHA1
2d6ee904f441820825872e6a1c25602bbc3f4fc7

SHA256
27ad34b399adb9be6b710ea1c3e43924d352f12b28459f5bbf1a4e99d62ab134

SHA512
b3cde21a385943fd5c5768dc842769307eef749c26847ca6109bb0ffe866fdbe6fd8f8564aa6390fddc5ce70371b342da9bfc37b6dd934f3b3d0a315e7476b0d

Download Submit
C:\Users\Admin\HQqGkIT8.exe

Filesize
179KB

MD5
961441cd4525053fe6b32006e30c5b70

SHA1
a5df2ae1344fe40a6a1cd09aad8fc9c7d5948b86

SHA256
e409ef32512e17229df1cd96025d1e257ef685bd56fc5ac41611bc1b482c786e

SHA512
124206c9b159bbc166a07a05c0330b1f1b4affdc68bdeaf4b59ce8674af3c2be2507ad9cc3a21ffa59557e5fb8357afb5e7981528362244e31bf2cb04d4d5a2a

Download Submit
C:\Users\Admin\bacaz.exe

Filesize
292KB

MD5
e7edf653898534351093619f715d3209

SHA1
e457fb5cbf83ea2a02ee8b492898ce41007d80a9

SHA256
a45b7dfb02d9ec5251d2797fd8fda8f5565b397a30fabf0d487648f0b6fe0b85

SHA512
55ec34a04c5aefa64d63578113328dc05701ed1427bb7486031259c2d9e84809fea7ff1815d7539dfd5b23e63444165e2c573e4edbade4bfc2e5b260fac55c83

Download Submit
memory/1372-61-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1372-58-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1372-59-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/1372-60-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1372-62-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/1372-64-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/1372-65-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/4668-22-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4668-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4668-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4668-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download