Analysis Overview
SHA256
ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6
Threat Level: Likely malicious
The file addfc1ec8a277f7692892fff20e5490e was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
ASPack v2.12-2.42
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Deletes itself
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 06:12
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 06:12
Reported
2024-02-29 06:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
117s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080615.dll tanlt88" | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\inf\svchostc.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\inf\svchostc.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\SysWOW64\inf\sppdcrs080615.scr | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\SysWOW64\inf\scsys16_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\tdcbdcasys32_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\twftadfia16_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File opened for modification | C:\Windows\twisys.ini | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
| File opened for modification | C:\Windows\twisys.ini | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| File created | C:\Windows\tdcbdcasys32_080615.dll | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| File opened for modification | C:\Windows\twisys.ini | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\system\sgcxcxxaspf080615.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415349062" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9EBA5C01-D6C9-11EE-A30C-E60682B688C9} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe
"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"
C:\Windows\SysWOW64\inf\svchostc.exe
"C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080615.dll tanlt88
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
C:\Windows\system\sgcxcxxaspf080615.exe
"C:\Windows\system\sgcxcxxaspf080615.exe" i
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Windows\twisys.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Windows\SysWOW64\inf\svchostc.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\twftadfia16_080615.dll
| MD5 | 4b0a833136e7db417c3553674fae561e |
| SHA1 | 8cec9a200575227bbc45566b7f16d688e2dcedda |
| SHA256 | 7502fe8ead3a2d449643981fc9aa06370675ea4c3348161f1926c6bdf0a563cc |
| SHA512 | b945ce854f58857d6d7f2624a6f98aa5fa3e6188e9f3baafa91ee920fb0818e486a9e521179f15500370a8b18ea07ab7ad33683165af154d3a962090cf16dcb6 |
memory/2196-46-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Windows\twisys.ini
| MD5 | 0fb7f4692482afc5f6f3ccbf08f62948 |
| SHA1 | a534f4dee03ce489c32bb2515d2324a03c0ef24a |
| SHA256 | 6190340f935e87c36666da60370fdddac8ecefc482494ccd5aa56803a51a20d0 |
| SHA512 | f6f090fc7a1848bd4ca4553ef3751b478b4f95d171bd48d55e6668c1381f37e4fe4cee88e26141a9687a3a086aa21d558a658330a1438ac4aef14bc3393c18b0 |
\??\c:\mylstecj.bat
| MD5 | da1246d60fb14fd94892aed08d4efdea |
| SHA1 | 9cbb3efeb757112bea4538923727eb6aac9d852e |
| SHA256 | 676b0f775d503b049bddbdc12898718483b6a4dfc692fc4c3d9fc07fdd0be234 |
| SHA512 | 0d6ecbc5ed71133ba1ea3b83fdcd29162d6972edc3524bcc47c233c394f24c6b1c09a7b3cbb00cda10ce9497610ecfcb5b8714f0eb8a7750e953b084e623cdc9 |
C:\Windows\system\sgcxcxxaspf080615.exe
| MD5 | addfc1ec8a277f7692892fff20e5490e |
| SHA1 | 583c8d6eced0c465c2dd2a9afb47739a4d163c03 |
| SHA256 | ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6 |
| SHA512 | 1c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a |
C:\Windows\twisys.ini
| MD5 | cc72aef041857e3e9ff2f15086e2ae99 |
| SHA1 | 3afb52c396174e2604c78c8c807a246c8619f1e4 |
| SHA256 | 418c868147c2f2aa1c9b988ef8f489ab312229be4bc346ce88e0823fbfb9f101 |
| SHA512 | 4dbe7201d2021dd0e08d8f3d6bb56a94cd1e213606eb8f629ba7ea73c74928c2f1bcf77107bf732ded22067663cce3d0d2089ebd5e6048472643aa22d8b05b37 |
C:\Windows\twisys.ini
| MD5 | e9f1507c7900c1ae4af3a2186f145c9f |
| SHA1 | 00ffa170d8972a2fa2d756308b73b9ccbac5adb2 |
| SHA256 | de39ea4dd4d0502427dfb422cf63ffb06eaa984cb87605210c5b9ea221169246 |
| SHA512 | ac7755bfb33375b1f85bb1687f26d61ab0b2b8ed0981c3ddfddef59a421cd5904e054e5fd5d321bc7b370661bc56a07efd9391b42925dd172c857c37bbacf186 |
memory/2480-66-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Windows\tdcbdcasys32_080615.dll
| MD5 | 9ffcad679063d56de00784483f203367 |
| SHA1 | ae617a526451e6e286ba393d49bde048f43ec4c6 |
| SHA256 | ecc842b207eb390c9b17215975f409719ca323064783c8646f1e15a01ea7e939 |
| SHA512 | 7ba6f805fbbbbd78fe2ddf3c47ea0b284a9d5046690c1ebdb498b594c5345b77b0fce84c1e3848ed707299f7a7a788fb21bd6702ea3461e9db9f54d7bb767b7f |
C:\Windows\twisys.ini
| MD5 | cf5a25fcbd841f46d05bf61739112940 |
| SHA1 | 4a6cee80fc764aa0ddb582dc769769600c1103a2 |
| SHA256 | 38831f11afb10e5f9f4deca22b71857eaa957560754513efc56037cc2e4f5557 |
| SHA512 | 3ec2655904c162c2004f62aa5124140460aac999d21b4fae448b8a3fe59cc3d562e70603484508659408137a99302e993e6dae5e3319459d2a738cf24ebad72d |
C:\Users\Admin\AppData\Local\Temp\Cab8FD2.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Windows\twisys.ini
| MD5 | 47f61b2803f63d625c8c3f10fdcc0219 |
| SHA1 | e24a8207d60017abe7c6196606205b90639b43e5 |
| SHA256 | 14a2d6ed4012615f0b846caff6ce04c276b69c1967cbb95dbd5753edfe9db9c1 |
| SHA512 | 9897ec3b260ea54b83c70ac61ba503e8124a480c94dc643f78e48e75b94d13f8f8082f3d66445a08614891d510aaa77b6d5696baa196c12dbf0bebbae55e1d9b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar9123.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 628a7786e90d47c819dd8dd4c6c7e6da |
| SHA1 | 64c28f5a487d5181276ca71d6a8ad5f716d56a31 |
| SHA256 | 6b7c819361f156a6dda60eff4daf45206c57063691f747cb67dfe2c0ccfecf18 |
| SHA512 | f8d11063ce2f06746cbe122ff573a65b9f474040d17f430903ec837b3e74de81ebb4176ba313bd6e1555703ce89ed5d57c8194278c94718566568328381ce9a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b357d2cbc285e8750b9152bbb8ac2f4 |
| SHA1 | 9c95f8c6611fe01c59990db4c8934d58d36b9fbf |
| SHA256 | d74b61a59408b8f351802e68dc4fc7f1f91b416585d3bfa4d970c797f20f9d5c |
| SHA512 | dfe1c0a191145d9f661556217a76aa8299e7b132152cd574f38690d275571a46ef3c391981fe9f2095780bf6b4a1ce4fe4a3ab04802744255003d1bf7af97005 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0373472fbb0207348c6c1700f6f9ddc |
| SHA1 | 50f19658cc948ac62e567dbc5af93e7c6bcab8c1 |
| SHA256 | 285a22bc589ca6e4a31fd5880b334ed63c47bac076a315331efdf18858b8c311 |
| SHA512 | bc160e7d723ddc964a23de7df47dd0660d31be9afe358c31a31d6c529bec059d2d9cd9e40e3bf4201830b1c7ed1b2e40c58413eda338a9ece9aa15f322dd3423 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87bf4257033b240387d9ca64f39d1821 |
| SHA1 | ec984058a21ac3e8a81047b50e497a7f18629b93 |
| SHA256 | ab1ece41fad68314278b800ec182692e0f98253a2dd5b8897119f9a94a1f6f08 |
| SHA512 | b993bc7d79aa2e7ce23ef0ea1d576ef3402122e1a2c660cb972db9b1a95f0851f65de1988ba069643e4b2aa42fd2c88a209bb56c4d2f63ec8d4f72f5fc407a24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c07ffcbee2b6443019bade4c5b8ace4 |
| SHA1 | b4aa619b378069590a050c9163e88ab69ebcdc92 |
| SHA256 | 86befed9b2aaaa1a1ba6c1d7a80fab5f1a50a041cff3b162521945c4c234f20a |
| SHA512 | e26a3b6e4e77c90c24e9f5f18a3897f7f0a46bed829f8ccc8e71b81194baa12649f279f6d32ba3d11deb9814616972562158266f9277414d8885cda3082f29d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f98d6310028e85a53fff30419ce0c504 |
| SHA1 | e9a1973dd5d0cd3841f037e43f643f1b9721ce7e |
| SHA256 | b2b9f53178401ad184e82c7f6ea33f06bddac207c2f95619a523666b7d9b41e8 |
| SHA512 | eec066148b358b96f227c29d06b3d216fe12489618f8a3a677b749c18d17cb7b763570ac914236cb41b97fae4456a06a94f8e723b82ae06c9efab260c15b4879 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ace43d1377de0989b8ad5ed0edeb028b |
| SHA1 | da1f160648aac8644027a00bbc87f799ea1e4b35 |
| SHA256 | 00ce87424d6c1266f7313a3db18b3bd5208b49408e30f18b4671436ad8f4031f |
| SHA512 | 29bb7dc0b5e448447a3a8b32aa1440646731dbbd3a3c312624aae63380006f0789e1f9fccc564d4b9613680441e1433ac37ef33d531c55f6f2c2ae36109da3b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5fc74b9edcea02d70cbb6dbc883a8dc |
| SHA1 | 4fc3dbeeff26df72df52e76ade95733cb4100d04 |
| SHA256 | f835d0ee18c6fe6f9eb1746a5902b5015371c6a1c406280011e1e01effb2038d |
| SHA512 | c4262acfea015f8be4eed11260086f56648b089f4a09be4199ff07c9eea2230cb5da4afd83a546031d6792d4144eaac344db19b7f9dfb5018f5f5f19553be930 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0fba7b52b713c091738a537d6a5d0574 |
| SHA1 | 24c77d7d0012af8ff17a4603b5f115f75cea38c1 |
| SHA256 | 09a98feba2d14848e42f13d56fb0b632faeb75e5dc58934a87e2244c119e2b34 |
| SHA512 | 2bd04556224f69f1a82097a7a92dcae57317227b985cd275e71c0cf05cbfe1cf80e101993216bf889166dce372b12ada18ec4dd59678e4b0fd7507efa57bc6cf |
memory/2480-402-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2480-433-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6ba016065133a82f23d4bea7e2ac205 |
| SHA1 | ae965da97a34ced9ce52a102e97f1013a93aaa50 |
| SHA256 | f9e53967ea20b3e7648c83543a539d0f43b99c1ded1cc393256c4bc731fede0c |
| SHA512 | 8be615f3a0ac4cc31a10fef6d11234b86b40532896cd011e80670c2ea3370a3e838e56f02e7583fa0da1a13af9bc6fa1b7268ba00aac00207aa48215141d6af9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6042098e429130281af2907ef5cf2070 |
| SHA1 | 0383ed916c09034640c5a9e42db0f4bd5ed91997 |
| SHA256 | 2b9bc6fd4454981afb5802a42c58277cc95f0a51a055db231c7784efa053a213 |
| SHA512 | d114a226d265c1933f5b6dcbd17599aea0116f405c14362818e126bf15ff975dddad90cb81603045500804dbadf3f324487d416c3bff6c82d6f6a13a4c04ff59 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb2510166bbc7634b858376dd8e337a8 |
| SHA1 | 68fdc7ebbad2632dc4398d1e7720f322045d07df |
| SHA256 | ca5b0121039a907a8fb5ba8e7f4b3cbb60ab959409ef5d2894a2201dd4c696b2 |
| SHA512 | 04099c641be094092c66e99f641b8fcb67509956866230c3951b94fbc191855ca333f8738f5833ee37d5768e6cac9b408621a41b4e5e997341368eb2d690c925 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24cb1252158f87216e7e6d5c0b413ffc |
| SHA1 | fc706b790f81ff018a220ce027f28fd6c0da0d7e |
| SHA256 | a30b4bad7a1a6d49bf67ce751862ab12a6fca5f2a0f76de597ee24ca67865c7c |
| SHA512 | 05f8b4fba81e95eb948367d17e901b6f201e3dd0ed4b11e2770607de62e4e9572ddea542187cd2633efd25dcc628541d25c81ff205fa3cd2bca0613908fedfa9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f6c30ff2aae62e2b5eb167a577b4fdd |
| SHA1 | 8f8016b4d0c1dc63882b94e36b2eb6805e35c820 |
| SHA256 | 1eb023b855dfa0c919536fdd74623e915b3f24250f1e656910e425288ea9f2f9 |
| SHA512 | 5db06dc4c4200414c82cc92f39c4aedb6b08c8bc85df711f757828fd3a255f8fdeb360767dbfa195449d362c11787778eea717d9ea451697fec24f370ae43b88 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f69a82719025a0371bfe78430fcab4f |
| SHA1 | 1306f005d7ee434918d0f1da82c72b38ebd7fea8 |
| SHA256 | c7eca67cf87a740a7728ea2d27da7f1ae3cacc599901134c3fe469790cc6a41f |
| SHA512 | 3dd030076c32a1bf936ba933a54270de1510ff6e309a86a8b3f7c37bb7fb7cea43ed816a85dae5eb49b480aa96d5042306ec4e55f2b1d4759e6801000d53964b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a3e3d0d9ce8121ee29d4e003e695abd2 |
| SHA1 | aef07038b1bc10ed9eaf1cceec5bbf98b670da30 |
| SHA256 | c55208c47def808d2f24d2c6cc8bf17da01a714fe87ac10e8e5e5427bf3a8a33 |
| SHA512 | 5b5a36b7714a677df1356ab589b4776a6a3398c03de7c75472b2b9b32fb50df3efe057104aedfa09fd44422a6480cf53f9a6fcae22d496d991b83d2404697eae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a68b92a0f6725bf98a82f7a00579cebf |
| SHA1 | 04bdf341c7202334d47171a8e333bf2d11afa45c |
| SHA256 | 9a043837857b1085c3a13fae0acbb04cff93c5eb0178d5f0a427c5c85f2d4997 |
| SHA512 | 6a846a164dca546f5324293bfc644e9155e9154c28e404e4d93d8854986323382692a4bb90ecf0196629251017fe48737a5a2f854df95acf3c434015a6f6bf12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 614982c3367914b6fbea439c789eaabe |
| SHA1 | f03b5f25c7641cf9dbbe28ad7c5d7ac3fcdc123e |
| SHA256 | 9a617d4cb3510bf879b73894c5cbb8ca7c01451ada405b7ac20058503f533b57 |
| SHA512 | 87e5ffa7151204dd9c9b52b3ce04318573e28383bca0f8742e7915c46defd48246ae244dbce858c14af5b9c61893af805c64f30876befa3568168becac20aa9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e07981af016fe43f3eaac007e73a97e |
| SHA1 | 837ad615b4e34d26f6a6f7e8382209d96737b626 |
| SHA256 | 2be582b78d7c28661bc23ae44a267a617329fdff8af127471850831334f4179d |
| SHA512 | 7d2dd3b8823d204d6d423cbbde4f1df837d6bb5947f7675a751a3c8e4af45a29b14b5df8c517ba52c617da4c796650913f47f8daabc35aabfb3e5c58ad9544ad |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 06:12
Reported
2024-02-29 06:15
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\nyuserinit = "C:\\Windows\\system32\\inf\\svchostc.exe C:\\Windows\\twftadfia16_080615.dll tanlt88" | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
| N/A | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\inf\svchostc.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\inf\svchostc.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\SysWOW64\inf\sppdcrs080615.scr | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\SysWOW64\inf\scsys16_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\twisys.ini | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\system\sgcxcxxaspf080615.exe | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\tdcbdcasys32_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File created | C:\Windows\twftadfia16_080615.dll | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| File opened for modification | C:\Windows\twisys.ini | C:\Windows\SysWOW64\inf\svchostc.exe | N/A |
| File opened for modification | C:\Windows\twisys.ini | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| File created | C:\Windows\tdcbdcasys32_080615.dll | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A4348B60-D6C9-11EE-9216-EA08C850D01B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2022689320" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415952177" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31091414" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31091414" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2025345639" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2022689320" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system\sgcxcxxaspf080615.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe
"C:\Users\Admin\AppData\Local\Temp\addfc1ec8a277f7692892fff20e5490e.exe"
C:\Windows\SysWOW64\inf\svchostc.exe
"C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080615.dll tanlt88
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "c:\mylstecj.bat"
C:\Windows\system\sgcxcxxaspf080615.exe
"C:\Windows\system\sgcxcxxaspf080615.exe" i
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\twisys.ini
| MD5 | 033bcec777267cf4358ac0da4cac6dc9 |
| SHA1 | b8127384122b57e301988bf059fac49d86f83c14 |
| SHA256 | 78313879e727cfc88bbc95ae05af2893e7699a29c14fb3ca421c72c3b0b357a7 |
| SHA512 | 12fb21c483a752606fd51ce44fbdf1ca2cbfe9694ffc466ab89fcc7f71fcfe6832ab958148d12f7fe66cd043893b32d72544628ba577704a7fbd916fe0f3c768 |
C:\Windows\SysWOW64\inf\svchostc.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/1748-52-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Windows\twftadfia16_080615.dll
| MD5 | 4b0a833136e7db417c3553674fae561e |
| SHA1 | 8cec9a200575227bbc45566b7f16d688e2dcedda |
| SHA256 | 7502fe8ead3a2d449643981fc9aa06370675ea4c3348161f1926c6bdf0a563cc |
| SHA512 | b945ce854f58857d6d7f2624a6f98aa5fa3e6188e9f3baafa91ee920fb0818e486a9e521179f15500370a8b18ea07ab7ad33683165af154d3a962090cf16dcb6 |
C:\Windows\twisys.ini
| MD5 | 0fb7f4692482afc5f6f3ccbf08f62948 |
| SHA1 | a534f4dee03ce489c32bb2515d2324a03c0ef24a |
| SHA256 | 6190340f935e87c36666da60370fdddac8ecefc482494ccd5aa56803a51a20d0 |
| SHA512 | f6f090fc7a1848bd4ca4553ef3751b478b4f95d171bd48d55e6668c1381f37e4fe4cee88e26141a9687a3a086aa21d558a658330a1438ac4aef14bc3393c18b0 |
C:\Windows\system\sgcxcxxaspf080615.exe
| MD5 | addfc1ec8a277f7692892fff20e5490e |
| SHA1 | 583c8d6eced0c465c2dd2a9afb47739a4d163c03 |
| SHA256 | ad2983c9d385ee2e332d76e417818e7c86a74c753255541631290e917e1e4db6 |
| SHA512 | 1c93eeb62b428bf5c4aac5a91de7819565775a107d82e07be84dbefda8a4643b9aedbebb76f13e133d1fb23d29326ca86671f6dcbbd8dd04add5eb895f7f762a |
\??\c:\mylstecj.bat
| MD5 | da1246d60fb14fd94892aed08d4efdea |
| SHA1 | 9cbb3efeb757112bea4538923727eb6aac9d852e |
| SHA256 | 676b0f775d503b049bddbdc12898718483b6a4dfc692fc4c3d9fc07fdd0be234 |
| SHA512 | 0d6ecbc5ed71133ba1ea3b83fdcd29162d6972edc3524bcc47c233c394f24c6b1c09a7b3cbb00cda10ce9497610ecfcb5b8714f0eb8a7750e953b084e623cdc9 |
C:\Windows\twisys.ini
| MD5 | cc72aef041857e3e9ff2f15086e2ae99 |
| SHA1 | 3afb52c396174e2604c78c8c807a246c8619f1e4 |
| SHA256 | 418c868147c2f2aa1c9b988ef8f489ab312229be4bc346ce88e0823fbfb9f101 |
| SHA512 | 4dbe7201d2021dd0e08d8f3d6bb56a94cd1e213606eb8f629ba7ea73c74928c2f1bcf77107bf732ded22067663cce3d0d2089ebd5e6048472643aa22d8b05b37 |
memory/2948-65-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\twisys.ini
| MD5 | 87c70147b275110dff5c42d2db300398 |
| SHA1 | 25a35b0297783b2f3b46998072d1e3deeb9f8aa0 |
| SHA256 | f98de0d242dfb3a3c393be55c74c7f1c0e4f7f5fd9da16e5ad56079b596f99dc |
| SHA512 | 1d77f90a865bec01b56e9afeccfc006b4896d1963a6468a6b6285f180870da0acb9594eb6822f4fb533bd107a2d59eb03325adee047a86778e3ccf0d2e459ddc |
C:\Windows\twisys.ini
| MD5 | e9f1507c7900c1ae4af3a2186f145c9f |
| SHA1 | 00ffa170d8972a2fa2d756308b73b9ccbac5adb2 |
| SHA256 | de39ea4dd4d0502427dfb422cf63ffb06eaa984cb87605210c5b9ea221169246 |
| SHA512 | ac7755bfb33375b1f85bb1687f26d61ab0b2b8ed0981c3ddfddef59a421cd5904e054e5fd5d321bc7b370661bc56a07efd9391b42925dd172c857c37bbacf186 |
memory/3924-73-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2948-74-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\tdcbdcasys32_080615.dll
| MD5 | 9ffcad679063d56de00784483f203367 |
| SHA1 | ae617a526451e6e286ba393d49bde048f43ec4c6 |
| SHA256 | ecc842b207eb390c9b17215975f409719ca323064783c8646f1e15a01ea7e939 |
| SHA512 | 7ba6f805fbbbbd78fe2ddf3c47ea0b284a9d5046690c1ebdb498b594c5345b77b0fce84c1e3848ed707299f7a7a788fb21bd6702ea3461e9db9f54d7bb767b7f |
C:\Windows\twisys.ini
| MD5 | cf5a25fcbd841f46d05bf61739112940 |
| SHA1 | 4a6cee80fc764aa0ddb582dc769769600c1103a2 |
| SHA256 | 38831f11afb10e5f9f4deca22b71857eaa957560754513efc56037cc2e4f5557 |
| SHA512 | 3ec2655904c162c2004f62aa5124140460aac999d21b4fae448b8a3fe59cc3d562e70603484508659408137a99302e993e6dae5e3319459d2a738cf24ebad72d |
memory/3924-82-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Windows\twisys.ini
| MD5 | c6a0598d2f107431eff2e13f692a9dff |
| SHA1 | 2a238988a95f6d2af9e578694e7f6e9ff483f2e8 |
| SHA256 | b86a02746049603c2e2f4931fc184dc906ba30039e4dfcd62f88854156a87bd4 |
| SHA512 | 4a4f02c1047f83b1f54b128bde5ef00b3e53f6c277a094f75a3dcb94ca8f6b452efd0213179e937d3855de1bcbe108433407a54322fa279f1c67d415b02f0c60 |
memory/3924-88-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2948-89-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/2948-109-0x0000000000400000-0x000000000040E000-memory.dmp