Analysis
-
max time kernel
599s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-02-2024 15:34
Behavioral task
behavioral1
Sample
s.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
s.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20231215-en
General
-
Target
s.exe
-
Size
254KB
-
MD5
4485d8844b083564cf510271d90d7399
-
SHA1
769d564f9b895c8d07fee07733782c548e30267a
-
SHA256
fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f
-
SHA512
0f0e1eb3249e1a73ab51b08462dfd8871c9fe5db7b87090635a8b6930c830440a2a225c4e1ed5e8f596cea1672f65fcb1a383a47ea9e4133bde8cc9ed793efeb
-
SSDEEP
6144:h+lSr5QA7XPoS5Ut7Qjs+oQmAWN3/+Ne1YmWpm0+ie+z:Zr5Q0oS5Fjs+MAU/Lypmr+z
Malware Config
Signatures
-
Detects PlugX payload 28 IoCs
Processes:
resource yara_rule behavioral1/memory/2188-16-0x00000000002D0000-0x00000000002FE000-memory.dmp family_plugx behavioral1/memory/2188-17-0x00000000002D0000-0x00000000002FE000-memory.dmp family_plugx behavioral1/memory/2676-37-0x00000000002B0000-0x00000000002DE000-memory.dmp family_plugx behavioral1/memory/2676-38-0x00000000002B0000-0x00000000002DE000-memory.dmp family_plugx behavioral1/memory/2676-41-0x00000000002B0000-0x00000000002DE000-memory.dmp family_plugx behavioral1/memory/2604-45-0x0000000000150000-0x000000000017E000-memory.dmp family_plugx behavioral1/memory/2604-47-0x0000000000150000-0x000000000017E000-memory.dmp family_plugx behavioral1/memory/2604-49-0x0000000000150000-0x000000000017E000-memory.dmp family_plugx behavioral1/memory/2696-59-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-60-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-61-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-63-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-68-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-70-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-77-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-78-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-79-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-80-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-83-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2696-84-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2676-85-0x00000000002B0000-0x00000000002DE000-memory.dmp family_plugx behavioral1/memory/2696-86-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2604-87-0x0000000000150000-0x000000000017E000-memory.dmp family_plugx behavioral1/memory/2188-91-0x00000000002D0000-0x00000000002FE000-memory.dmp family_plugx behavioral1/memory/2124-106-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx behavioral1/memory/2676-117-0x00000000002B0000-0x00000000002DE000-memory.dmp family_plugx behavioral1/memory/2696-124-0x0000000000230000-0x000000000025E000-memory.dmp family_plugx behavioral1/memory/2124-126-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx -
Deletes itself 1 IoCs
Processes:
ktmhelp.exepid process 2188 ktmhelp.exe -
Executes dropped EXE 3 IoCs
Processes:
ktmhelp.exektmhelp.exektmhelp.exepid process 2188 ktmhelp.exe 2676 ktmhelp.exe 2604 ktmhelp.exe -
Loads dropped DLL 4 IoCs
Processes:
s.exektmhelp.exektmhelp.exektmhelp.exepid process 2820 s.exe 2188 ktmhelp.exe 2676 ktmhelp.exe 2604 ktmhelp.exe -
Processes:
resource yara_rule behavioral1/memory/2820-0-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/2820-18-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 202.98.96.68 Destination IP 92.38.178.133 Destination IP 61.139.2.69 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 205.252.144.228 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 Destination IP 92.38.178.133 -
Blocklisted process makes network request 64 IoCs
Processes:
msiexec.exeflow pid process 18 2124 msiexec.exe 24 2124 msiexec.exe 25 2124 msiexec.exe 30 2124 msiexec.exe 36 2124 msiexec.exe 37 2124 msiexec.exe 38 2124 msiexec.exe 46 2124 msiexec.exe 47 2124 msiexec.exe 50 2124 msiexec.exe 60 2124 msiexec.exe 61 2124 msiexec.exe 64 2124 msiexec.exe 68 2124 msiexec.exe 70 2124 msiexec.exe 71 2124 msiexec.exe 76 2124 msiexec.exe 82 2124 msiexec.exe 83 2124 msiexec.exe 86 2124 msiexec.exe 94 2124 msiexec.exe 95 2124 msiexec.exe 98 2124 msiexec.exe 105 2124 msiexec.exe 106 2124 msiexec.exe 109 2124 msiexec.exe 114 2124 msiexec.exe 119 2124 msiexec.exe 120 2124 msiexec.exe 123 2124 msiexec.exe 131 2124 msiexec.exe 132 2124 msiexec.exe 133 2124 msiexec.exe 141 2124 msiexec.exe 142 2124 msiexec.exe 145 2124 msiexec.exe 155 2124 msiexec.exe 156 2124 msiexec.exe 157 2124 msiexec.exe 162 2124 msiexec.exe 165 2124 msiexec.exe 166 2124 msiexec.exe 169 2124 msiexec.exe 177 2124 msiexec.exe 178 2124 msiexec.exe 181 2124 msiexec.exe 189 2124 msiexec.exe 190 2124 msiexec.exe 191 2124 msiexec.exe 201 2124 msiexec.exe 202 2124 msiexec.exe 205 2124 msiexec.exe 206 2124 msiexec.exe 213 2124 msiexec.exe 214 2124 msiexec.exe 216 2124 msiexec.exe 224 2124 msiexec.exe 225 2124 msiexec.exe 227 2124 msiexec.exe 236 2124 msiexec.exe 237 2124 msiexec.exe 238 2124 msiexec.exe 248 2124 msiexec.exe 249 2124 msiexec.exe -
Drops file in System32 directory 2 IoCs
Processes:
ktmhelp.exedllhost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ktmhelp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat dllhost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
ktmhelp.exedllhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ktmhelp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10e5a4e72455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f08ca91e2555da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 302326cc2455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30775fd52455da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 ktmhelp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0f39df02455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 10a43ccd2455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b081af542555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10bc60732455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d05579972455da01 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7036d3712455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7061baa92555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 3034ee012555da01 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0aa38852455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b07be4f82455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b04b654d2555da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ktmhelp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b034c7a82455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f3a8032555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 105fd8662555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f08657942555da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 90c88d5f2455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 107ebb282555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 901cbc552455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30f39b0d2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50cb533f2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b081af542555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 30c9dcaa2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 50aa5cb12555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 70c81f842455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b0814ca92455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b07be4f82455da01 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ktmhelp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 309ef5722455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0b22ac32455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 9095113b2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 1092d86f2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = f0ff1d822555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 10ee56962455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f051f6392555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d0076e952555da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30c63a142555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 7011bf5e2555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 504d24742555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 7061baa92555da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ktmhelp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ktmhelp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 30a249572455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0f8fbba2455da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows ktmhelp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent ktmhelp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = f0ff1d822555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 901cbc552455da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = d0ae73162555da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = d069d8502555da01 dllhost.exe -
Modifies registry class 2 IoCs
Processes:
ktmhelp.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST ktmhelp.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004500320031003600390036004200450042003300440044003300350043000000 ktmhelp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
dllhost.exemsiexec.exepid process 2696 dllhost.exe 2124 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ktmhelp.exedllhost.exektmhelp.exemsiexec.exepid process 2188 ktmhelp.exe 2188 ktmhelp.exe 2696 dllhost.exe 2696 dllhost.exe 2676 ktmhelp.exe 2696 dllhost.exe 2696 dllhost.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2696 dllhost.exe 2696 dllhost.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2696 dllhost.exe 2696 dllhost.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2696 dllhost.exe 2696 dllhost.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2696 dllhost.exe 2696 dllhost.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe 2124 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
dllhost.exemsiexec.exepid process 2696 dllhost.exe 2124 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ktmhelp.exektmhelp.exektmhelp.exedllhost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2188 ktmhelp.exe Token: SeTcbPrivilege 2188 ktmhelp.exe Token: SeDebugPrivilege 2676 ktmhelp.exe Token: SeTcbPrivilege 2676 ktmhelp.exe Token: SeDebugPrivilege 2604 ktmhelp.exe Token: SeTcbPrivilege 2604 ktmhelp.exe Token: SeDebugPrivilege 2696 dllhost.exe Token: SeTcbPrivilege 2696 dllhost.exe Token: SeDebugPrivilege 2124 msiexec.exe Token: SeTcbPrivilege 2124 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
s.exepid process 2820 s.exe 2820 s.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
s.exektmhelp.exedllhost.exedescription pid process target process PID 2820 wrote to memory of 2188 2820 s.exe ktmhelp.exe PID 2820 wrote to memory of 2188 2820 s.exe ktmhelp.exe PID 2820 wrote to memory of 2188 2820 s.exe ktmhelp.exe PID 2820 wrote to memory of 2188 2820 s.exe ktmhelp.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2604 wrote to memory of 2696 2604 ktmhelp.exe dllhost.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe PID 2696 wrote to memory of 2124 2696 dllhost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\s.exe"C:\Users\Admin\AppData\Local\Temp\s.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeC:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 21881⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe 201 02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 26963⤵
- Blocklisted process makes network request
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLLFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
C:\Users\Admin\AppData\Local\Temp\OUT\update.logFilesize
116KB
MD58c49d603e67e5933ff07216c80b0ed4b
SHA1a31aaff7adccb8563a2f798816f9b211b774bf08
SHA2566e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c
SHA51248397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4
-
\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
memory/2124-106-0x0000000000260000-0x000000000028E000-memory.dmpFilesize
184KB
-
memory/2124-126-0x0000000000260000-0x000000000028E000-memory.dmpFilesize
184KB
-
memory/2124-102-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2188-15-0x0000000000180000-0x0000000000280000-memory.dmpFilesize
1024KB
-
memory/2188-16-0x00000000002D0000-0x00000000002FE000-memory.dmpFilesize
184KB
-
memory/2188-17-0x00000000002D0000-0x00000000002FE000-memory.dmpFilesize
184KB
-
memory/2188-91-0x00000000002D0000-0x00000000002FE000-memory.dmpFilesize
184KB
-
memory/2604-45-0x0000000000150000-0x000000000017E000-memory.dmpFilesize
184KB
-
memory/2604-47-0x0000000000150000-0x000000000017E000-memory.dmpFilesize
184KB
-
memory/2604-49-0x0000000000150000-0x000000000017E000-memory.dmpFilesize
184KB
-
memory/2604-87-0x0000000000150000-0x000000000017E000-memory.dmpFilesize
184KB
-
memory/2676-41-0x00000000002B0000-0x00000000002DE000-memory.dmpFilesize
184KB
-
memory/2676-85-0x00000000002B0000-0x00000000002DE000-memory.dmpFilesize
184KB
-
memory/2676-38-0x00000000002B0000-0x00000000002DE000-memory.dmpFilesize
184KB
-
memory/2676-37-0x00000000002B0000-0x00000000002DE000-memory.dmpFilesize
184KB
-
memory/2676-117-0x00000000002B0000-0x00000000002DE000-memory.dmpFilesize
184KB
-
memory/2696-60-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-83-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-61-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-63-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-68-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-70-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-76-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/2696-77-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-78-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-79-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-80-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-124-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-84-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-59-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-86-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/2696-58-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/2696-56-0x00000000000B0000-0x00000000000B2000-memory.dmpFilesize
8KB
-
memory/2696-54-0x0000000000090000-0x00000000000AC000-memory.dmpFilesize
112KB
-
memory/2696-50-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/2820-18-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2820-0-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2820-1-0x0000000010000000-0x000000001005D000-memory.dmpFilesize
372KB