b2a611559db3a0c56892e10f01874c5d76bfd69fec6f3f06db0fa20d36c29745

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b70d78ba7da3cc47652eda145a8232c.exe
Size

840KB
MD5

7b70d78ba7da3cc47652eda145a8232c
SHA1

7c999fa8f9090644c904056918f50a244a729ec9
SHA256

b2a611559db3a0c56892e10f01874c5d76bfd69fec6f3f06db0fa20d36c29745
SHA512

79daa368eb97008022e25a67c02f201c3333da23653d1cff97ce500280b0aa873acefaf46f50eaf1e8443852c496266036d0734c712b98f99453e97634b1e3ee
SSDEEP

12288:SCpyvXFPTfnCvX66h/NYJ9nDW6FApNg3gZqdDUtOuBiMc/j6KRVrxn7Nl4+GtlrL:Hk9P7nCvX6MNYLIbgYJ3chra+GbrL

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d3WQGzd9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xiieyek.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	d3WQGzd9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7b70d78ba7da3cc47652eda145a8232c.exe

Executes dropped EXE 9 IoCs

pid	Process
852	d3WQGzd9.exe
4972	xiieyek.exe
3484	awhost.exe
2520	bwhost.exe
1724	bwhost.exe
4380	cwhost.exe
4304	cwhost.exe
4024	cwhost.exe
924	dwhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4380-74-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/memory/4304-86-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/memory/4380-153-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/memory/4024-154-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/memory/4380-277-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /n"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /l"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /O"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /g"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /y"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /k"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /L"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /c"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /i"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /Z"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /j"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /w"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /R"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /M"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /p"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /D"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /Q"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /x"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /m"	xiieyek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Program Files (x86)\\Internet Explorer\\lvvm.exe"	cwhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /o"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /b"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /N"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /U"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /P"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /u"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /I"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /F"	d3WQGzd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /f"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /d"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /q"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /a"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /r"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /e"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /J"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /S"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /F"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /V"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /W"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /X"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /C"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /s"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /Y"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /v"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /E"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /h"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /T"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /z"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /A"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /B"	xiieyek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiieyek = "C:\\Users\\Admin\\xiieyek.exe /K"	xiieyek.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 3484 set thread context of 5008	3484	awhost.exe	100
PID 2520 set thread context of 1724	2520	bwhost.exe	102
PID 1724 set thread context of 1124	1724	bwhost.exe	103

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\lvvm.exe	cwhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3132	tasklist.exe
2936	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	d3WQGzd9.exe
852	d3WQGzd9.exe
852	d3WQGzd9.exe
852	d3WQGzd9.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
4972	xiieyek.exe
4972	xiieyek.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe
5008	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	tasklist.exe
Token: SeDebugPrivilege	2936	tasklist.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1608	7b70d78ba7da3cc47652eda145a8232c.exe
2500	7b70d78ba7da3cc47652eda145a8232c.exe
852	d3WQGzd9.exe
4972	xiieyek.exe
3484	awhost.exe
2520	bwhost.exe
924	dwhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 1608 wrote to memory of 2500	1608	7b70d78ba7da3cc47652eda145a8232c.exe	87
PID 2500 wrote to memory of 852	2500	7b70d78ba7da3cc47652eda145a8232c.exe	90
PID 2500 wrote to memory of 852	2500	7b70d78ba7da3cc47652eda145a8232c.exe	90
PID 2500 wrote to memory of 852	2500	7b70d78ba7da3cc47652eda145a8232c.exe	90
PID 852 wrote to memory of 4972	852	d3WQGzd9.exe	95
PID 852 wrote to memory of 4972	852	d3WQGzd9.exe	95
PID 852 wrote to memory of 4972	852	d3WQGzd9.exe	95
PID 852 wrote to memory of 2148	852	d3WQGzd9.exe	96
PID 852 wrote to memory of 2148	852	d3WQGzd9.exe	96
PID 852 wrote to memory of 2148	852	d3WQGzd9.exe	96
PID 2148 wrote to memory of 3132	2148	cmd.exe	98
PID 2148 wrote to memory of 3132	2148	cmd.exe	98
PID 2148 wrote to memory of 3132	2148	cmd.exe	98
PID 2500 wrote to memory of 3484	2500	7b70d78ba7da3cc47652eda145a8232c.exe	99
PID 2500 wrote to memory of 3484	2500	7b70d78ba7da3cc47652eda145a8232c.exe	99
PID 2500 wrote to memory of 3484	2500	7b70d78ba7da3cc47652eda145a8232c.exe	99
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 3484 wrote to memory of 5008	3484	awhost.exe	100
PID 2500 wrote to memory of 2520	2500	7b70d78ba7da3cc47652eda145a8232c.exe	101
PID 2500 wrote to memory of 2520	2500	7b70d78ba7da3cc47652eda145a8232c.exe	101
PID 2500 wrote to memory of 2520	2500	7b70d78ba7da3cc47652eda145a8232c.exe	101
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 2520 wrote to memory of 1724	2520	bwhost.exe	102
PID 1724 wrote to memory of 1124	1724	bwhost.exe	103
PID 1724 wrote to memory of 1124	1724	bwhost.exe	103
PID 1724 wrote to memory of 1124	1724	bwhost.exe	103
PID 2500 wrote to memory of 4380	2500	7b70d78ba7da3cc47652eda145a8232c.exe	108
PID 2500 wrote to memory of 4380	2500	7b70d78ba7da3cc47652eda145a8232c.exe	108
PID 2500 wrote to memory of 4380	2500	7b70d78ba7da3cc47652eda145a8232c.exe	108
PID 4380 wrote to memory of 4304	4380	cwhost.exe	109
PID 4380 wrote to memory of 4304	4380	cwhost.exe	109
PID 4380 wrote to memory of 4304	4380	cwhost.exe	109
PID 4380 wrote to memory of 4024	4380	cwhost.exe	112
PID 4380 wrote to memory of 4024	4380	cwhost.exe	112
PID 4380 wrote to memory of 4024	4380	cwhost.exe	112
PID 2500 wrote to memory of 924	2500	7b70d78ba7da3cc47652eda145a8232c.exe	114
PID 2500 wrote to memory of 924	2500	7b70d78ba7da3cc47652eda145a8232c.exe	114
PID 2500 wrote to memory of 924	2500	7b70d78ba7da3cc47652eda145a8232c.exe	114
PID 2500 wrote to memory of 3792	2500	7b70d78ba7da3cc47652eda145a8232c.exe	115
PID 2500 wrote to memory of 3792	2500	7b70d78ba7da3cc47652eda145a8232c.exe	115
PID 2500 wrote to memory of 3792	2500	7b70d78ba7da3cc47652eda145a8232c.exe	115
PID 3792 wrote to memory of 2936	3792	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\7b70d78ba7da3cc47652eda145a8232c.exe
"C:\Users\Admin\AppData\Local\Temp\7b70d78ba7da3cc47652eda145a8232c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\7b70d78ba7da3cc47652eda145a8232c.exe
  "C:\Users\Admin\AppData\Local\Temp\7b70d78ba7da3cc47652eda145a8232c.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\d3WQGzd9.exe
    C:\Users\Admin\d3WQGzd9.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Users\Admin\xiieyek.exe
      "C:\Users\Admin\xiieyek.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del d3WQGzd9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
- - C:\Users\Admin\awhost.exe
    C:\Users\Admin\awhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5008
- - C:\Users\Admin\bwhost.exe
    C:\Users\Admin\bwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\bwhost.exe
      "C:\Users\Admin\bwhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\explorer.exe
        
        000000D0*
        5⤵
        
        PID:1124
- - C:\Users\Admin\cwhost.exe
    C:\Users\Admin\cwhost.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\cwhost.exe
      C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Roaming\conhost.exe%C:\Users\Admin\AppData\Roaming
      4⤵
      Executes dropped EXE
      PID:4304
  - - C:\Users\Admin\cwhost.exe
      C:\Users\Admin\cwhost.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      PID:4024
- - C:\Users\Admin\dwhost.exe
    C:\Users\Admin\dwhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 7b70d78ba7da3cc47652eda145a8232c.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4938.C26

Filesize
996B

MD5
5da1b868fa1a6745464cb8596f78f46e

SHA1
df263dbc3d4cfa7c8da6eedf3ebbab37d681149e

SHA256
048ee9761603e7b9e7c13b6a140e00b28ff0d48e4add2c230c8954dcddde05e4

SHA512
13b70f00a9a8195e8fa42e654c95402dff68132181a4bf1c61487d9d7387dd27549369c6fe0d1983750b541b4c4fbfb23e9ecc902cd5f58536402108cc053214

Download Submit
C:\Users\Admin\AppData\Roaming\4938.C26

Filesize
1KB

MD5
51734cdfbb1d7535ff185ff2da5f8f67

SHA1
0df8b76d9d7a736fca814a216f53b826b6f5cc2d

SHA256
ffe651506d38e69841dbf7abf4df32e17ee453f5fa2c081673cb4fc556b7e5e7

SHA512
bdc2e0bfd65fb17863f0d72cf46e3b655092f7676d94738dadfb78120fd7e317968e3c5a779149309566c35592786beb3a124e22ddd0b25eae5d869511cc4208

Download Submit
C:\Users\Admin\AppData\Roaming\4938.C26

Filesize
600B

MD5
07f6085f26d1657c6fb9f623d236ab99

SHA1
205cf0f03df6837ee2505ef1a5128c55cf2be027

SHA256
79dcfdee891161a0704719060a3f56259793b51e03dabb6873772a755fb2bcf8

SHA512
0ee92b106b845c0ce97a13cab4320d4a43b067d116085edd937e996bb82d7a1f47eff81a98f2adc2eb7aaa7c5028e32c6ed7788662f08016efe0584e090a55d5

Download Submit
C:\Users\Admin\awhost.exe

Filesize
68KB

MD5
b0406fa1f1b4a471ce4c1521708d1ef3

SHA1
bd2bb68d92c8b6af7604d52e336152bc48ea1227

SHA256
ef2abd7d609bba1f141b3e1dc6a79d937fe68e37d51b093fc29e0d800bf6fa29

SHA512
07bec70b25b083919a91de4930842ba8b264e869d0251134cbfecbc9227be704c70600c9db878eee08f7d1fa1df6c848577b632f810b014d62ace26b961bb2cc

Download Submit
C:\Users\Admin\bwhost.exe

Filesize
136KB

MD5
acaf206a193335d7983a46a8c9e18fea

SHA1
3a33b8148c23887c2b9edc2d0dbec3d83398069b

SHA256
8aa2fb2e061fc4a30160f912db3f1ea75189d16d922f82aba6538e92c4df47ca

SHA512
846622efa83273ce9f40f38953077eca4a6f064923a8cf9b202d19cac9fac4c8e58007f2531fafafb6b408787d0ed23a3349b49794d0311736efa35bba6fba10

Download Submit
C:\Users\Admin\cwhost.exe

Filesize
170KB

MD5
40d9607cb66da11b9adfec5b93b8b311

SHA1
55bf463cd5c0c90ba92935ef81ae47ab3bc5fea6

SHA256
033e60eebb966b3bcfbe27fa3e99e8f393970f320b5cc25cb16517869eb5f3e6

SHA512
e764053de1c2444e61e638e67e91cf7d9d968df4d60b8bcc3f5ddfc317edb1f14e950d096d451fa372a699fc886125066f4e2f2de171641433ce1e066aa58078

Download Submit
C:\Users\Admin\d3WQGzd9.exe

Filesize
364KB

MD5
db406d87e556a0008c18429ecf3cc93a

SHA1
3a1b7a87080bf1d78fca904bd7515833bbd380e8

SHA256
2712b4f742a53c7d4b9a55c8f760447a26925c10a3ca6c10b84dea49482a2768

SHA512
e0da870b0c8f8955277b9227ef3de2b4d3e45d37986ac9a9b445e24506f265020f071365a2135b1e2892aaa64c3b7477d6c4a57598f3601655d74d92d6222354

Download Submit
C:\Users\Admin\dwhost.exe

Filesize
24KB

MD5
aaa893d374547f20f7fdd7c3b6c56b36

SHA1
f7aab7bd60af5e948b71abcccbcfb1d62f6580ff

SHA256
17c950477ffd3e28c4135c4cc5711589415129c7b21c4af1e89deaf68f043d03

SHA512
491b88e809425dd20dc9052fe45ab101ccb803c186a27d6502bf1cbefa8d903d51f72c02e604ec346f77b85c4324daa036341a42fcba0a96e5c69781ebfecb31

Download Submit
C:\Users\Admin\xiieyek.exe

Filesize
364KB

MD5
2be064323a91ffcf716249198f803584

SHA1
9e139d3933ae4b20e9cd3bcdab1381f80e767ea4

SHA256
9284b4299d0c2ff3d431b33e5a4bc69b8cde8c7d3c9825f5c6610bdbd8123102

SHA512
6ec9f87a385f23007a20c8215ce90f3afabfc0d0ea97034e9544d09b2a36d2d8eb15cba53f513de53bfdae7d13d6c90f16fec4edcb7ea0efe429710640334939

Download Submit
memory/1124-69-0x0000000000A00000-0x0000000000A15000-memory.dmp

Filesize
84KB

Download
memory/1724-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1724-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-275-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2500-2-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2500-89-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2500-4-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4024-154-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4024-156-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/4304-87-0x0000000000733000-0x000000000074B000-memory.dmp

Filesize
96KB

Download
memory/4304-86-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4380-74-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4380-153-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4380-162-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/4380-75-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/4380-277-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/5008-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5008-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5008-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download