Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 23:37
Behavioral task
behavioral1
Sample
4a12d4082f4c660e926e19e4c966ca30.exe
Resource
win7-20231215-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a12d4082f4c660e926e19e4c966ca30.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
4a12d4082f4c660e926e19e4c966ca30.exe
-
Size
856KB
-
MD5
4a12d4082f4c660e926e19e4c966ca30
-
SHA1
51e4a31c074e37c7dcde627d7defd45a81c0782a
-
SHA256
5e76e8f8e7f72d6f41db7267a13862d772e00583f89fe5c9fbfbd8192b9526bc
-
SHA512
3afff00173474b958f83778d185ace5e440673886d5d7b25f31feec5e04a873395fc003409d066c1b040b4fccc0f9397a49bba02b448c38a2c023a915c1ef493
-
SSDEEP
12288:cJjCWhgzbBM8PtV9m2YkA4UrCuMtfQBSo7n4fUT2a6A2QeTF0XhMdUyGtd:cJmmgPnPikA43xsr4Y2a6A2nChuUr
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\9b7b7593\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" HM23Yh.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" giuku.exe -
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral1/memory/1872-14-0x0000000000400000-0x000000000052D000-memory.dmp modiloader_stage2 behavioral1/memory/1872-13-0x0000000000400000-0x000000000052D000-memory.dmp modiloader_stage2 behavioral1/memory/2296-10-0x0000000000400000-0x0000000000420000-memory.dmp modiloader_stage2 behavioral1/memory/2676-69-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/1872-95-0x0000000000400000-0x000000000052D000-memory.dmp modiloader_stage2 behavioral1/memory/2964-93-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/1872-207-0x0000000000400000-0x000000000052D000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2688 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2712 HM23Yh.exe 2020 giuku.exe 2676 awhost.exe 2396 awhost.exe 2964 bwhost.exe 1524 bwhost.exe 2028 cwhost.exe 336 csrss.exe 1312 dwhost.exe 1976 X 1240 Explorer.EXE 1528 ewhost.exe -
Loads dropped DLL 18 IoCs
pid Process 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 2712 HM23Yh.exe 2712 HM23Yh.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1312 dwhost.exe 1312 dwhost.exe 1312 dwhost.exe 1976 X 1872 4a12d4082f4c660e926e19e4c966ca30.exe 1872 4a12d4082f4c660e926e19e4c966ca30.exe -
resource yara_rule behavioral1/memory/1872-6-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1872-14-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1872-13-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1872-12-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1872-4-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1872-2-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1524-98-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1524-99-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1524-97-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1524-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1872-95-0x0000000000400000-0x000000000052D000-memory.dmp upx behavioral1/memory/1524-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1524-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1524-82-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1872-207-0x0000000000400000-0x000000000052D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /j" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /N" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /b" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /H" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /h" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /Z" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /u" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /L" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /O" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /R" HM23Yh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /W" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /a" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /F" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /E" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /J" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /G" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /A" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /P" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /d" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /R" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /S" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /y" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /Y" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /z" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /n" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /o" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /g" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /x" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /C" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /f" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /D" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /K" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /r" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /I" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /s" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /v" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /c" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /k" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /q" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /p" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /Q" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /T" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /X" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /e" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /i" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /M" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /w" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /U" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /m" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /t" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /V" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /B" giuku.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\giuku = "C:\\Users\\Admin\\giuku.exe /l" giuku.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum awhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 awhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bwhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bwhost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2296 set thread context of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2676 set thread context of 2396 2676 awhost.exe 36 PID 2964 set thread context of 1524 2964 bwhost.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2768 tasklist.exe 2432 tasklist.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2} explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1a74ef5b-e0c8-3427-8f23-6f47e43457d2}\cid = "936373506384518835" explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2712 HM23Yh.exe 2712 HM23Yh.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 1524 bwhost.exe 2020 giuku.exe 2020 giuku.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 2020 giuku.exe 1976 X 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe 2396 awhost.exe 2396 awhost.exe 2020 giuku.exe 2020 giuku.exe 2020 giuku.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2768 tasklist.exe Token: SeDebugPrivilege 1684 explorer.exe Token: SeDebugPrivilege 2432 tasklist.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1872 4a12d4082f4c660e926e19e4c966ca30.exe 2712 HM23Yh.exe 2020 giuku.exe 1528 ewhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 2296 wrote to memory of 1872 2296 4a12d4082f4c660e926e19e4c966ca30.exe 28 PID 1872 wrote to memory of 2712 1872 4a12d4082f4c660e926e19e4c966ca30.exe 29 PID 1872 wrote to memory of 2712 1872 4a12d4082f4c660e926e19e4c966ca30.exe 29 PID 1872 wrote to memory of 2712 1872 4a12d4082f4c660e926e19e4c966ca30.exe 29 PID 1872 wrote to memory of 2712 1872 4a12d4082f4c660e926e19e4c966ca30.exe 29 PID 2712 wrote to memory of 2020 2712 HM23Yh.exe 34 PID 2712 wrote to memory of 2020 2712 HM23Yh.exe 34 PID 2712 wrote to memory of 2020 2712 HM23Yh.exe 34 PID 2712 wrote to memory of 2020 2712 HM23Yh.exe 34 PID 2712 wrote to memory of 2912 2712 HM23Yh.exe 33 PID 2712 wrote to memory of 2912 2712 HM23Yh.exe 33 PID 2712 wrote to memory of 2912 2712 HM23Yh.exe 33 PID 2712 wrote to memory of 2912 2712 HM23Yh.exe 33 PID 2912 wrote to memory of 2768 2912 cmd.exe 30 PID 2912 wrote to memory of 2768 2912 cmd.exe 30 PID 2912 wrote to memory of 2768 2912 cmd.exe 30 PID 2912 wrote to memory of 2768 2912 cmd.exe 30 PID 1872 wrote to memory of 2676 1872 4a12d4082f4c660e926e19e4c966ca30.exe 35 PID 1872 wrote to memory of 2676 1872 4a12d4082f4c660e926e19e4c966ca30.exe 35 PID 1872 wrote to memory of 2676 1872 4a12d4082f4c660e926e19e4c966ca30.exe 35 PID 1872 wrote to memory of 2676 1872 4a12d4082f4c660e926e19e4c966ca30.exe 35 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 2676 wrote to memory of 2396 2676 awhost.exe 36 PID 1872 wrote to memory of 2964 1872 4a12d4082f4c660e926e19e4c966ca30.exe 37 PID 1872 wrote to memory of 2964 1872 4a12d4082f4c660e926e19e4c966ca30.exe 37 PID 1872 wrote to memory of 2964 1872 4a12d4082f4c660e926e19e4c966ca30.exe 37 PID 1872 wrote to memory of 2964 1872 4a12d4082f4c660e926e19e4c966ca30.exe 37 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 2964 wrote to memory of 1524 2964 bwhost.exe 38 PID 1872 wrote to memory of 2028 1872 4a12d4082f4c660e926e19e4c966ca30.exe 40 PID 1872 wrote to memory of 2028 1872 4a12d4082f4c660e926e19e4c966ca30.exe 40 PID 1872 wrote to memory of 2028 1872 4a12d4082f4c660e926e19e4c966ca30.exe 40 PID 1872 wrote to memory of 2028 1872 4a12d4082f4c660e926e19e4c966ca30.exe 40 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 2028 wrote to memory of 1684 2028 cwhost.exe 39 PID 1684 wrote to memory of 336 1684 explorer.exe 26 PID 1872 wrote to memory of 1312 1872 4a12d4082f4c660e926e19e4c966ca30.exe 42 PID 1872 wrote to memory of 1312 1872 4a12d4082f4c660e926e19e4c966ca30.exe 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\4a12d4082f4c660e926e19e4c966ca30.exe"C:\Users\Admin\AppData\Local\Temp\4a12d4082f4c660e926e19e4c966ca30.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\4a12d4082f4c660e926e19e4c966ca30.exe4a12d4082f4c660e926e19e4c966ca30.exe3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\HM23Yh.exeC:\Users\Admin\HM23Yh.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del HM23Yh.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2912
-
-
C:\Users\Admin\giuku.exe"C:\Users\Admin\giuku.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
-
C:\Users\Admin\awhost.exeC:\Users\Admin\awhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\awhost.exeawhost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
-
C:\Users\Admin\bwhost.exeC:\Users\Admin\bwhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\bwhost.exebwhost.exe5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
-
C:\Users\Admin\cwhost.exeC:\Users\Admin\cwhost.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028
-
-
C:\Users\Admin\dwhost.exeC:\Users\Admin\dwhost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵PID:1900
-
-
-
C:\Users\Admin\ewhost.exeC:\Users\Admin\ewhost.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 4a12d4082f4c660e926e19e4c966ca30.exe4⤵
- Deletes itself
PID:2688
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:868
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:1552
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
-
C:\Users\Admin\AppData\Local\9b7b7593\X193.105.154.210:801⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1212
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3