179b0d92f606837c090a53cf997b88d7da8f7c349d12470ef247932217d63527

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5fb97c0fa459da1a9ab16c4a144addc.exe
Size

92KB
MD5

c5fb97c0fa459da1a9ab16c4a144addc
SHA1

d2013fea538b06778f6c9435f6bb1c4e8dbdbe40
SHA256

179b0d92f606837c090a53cf997b88d7da8f7c349d12470ef247932217d63527
SHA512

8bfdc830e638f10ef5dc6f0fc4b65a0f0cf1d64c1ce97812af72a93ea61e6a1e484e00a00f160075180c393b4c810e21ad1e8f992362e32e15e325f6007c45c5
SSDEEP

1536:WKzGjpZVjvJFQZ+FPYpDGsB8z1XE4Gx63LWMgqwgmziy6s6KP5jy4yvsskKLp925:WqGjX9Jq/DsZGx63LWMBls6S5jxCJ9a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1512	B6891.exe
3044	B6891.exe
2380	5271F.exe

Loads dropped DLL 8 IoCs

pid	Process
2008	c5fb97c0fa459da1a9ab16c4a144addc.exe
2008	c5fb97c0fa459da1a9ab16c4a144addc.exe
3044	B6891.exe
3044	B6891.exe
2380	5271F.exe
2380	5271F.exe
2380	5271F.exe
2380	5271F.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\K7DYJD0D.txt	5271F.exe
File opened for modification	C:\Windows\SysWOW64\B6891.exe	c5fb97c0fa459da1a9ab16c4a144addc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\NG4DSQI7.txt	5271F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\D5NCE641.txt	5271F.exe
File opened for modification	C:\Windows\SysWOW64\5271F.exe	B6891.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\K7DYJD0D.txt	5271F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9AEQXBK6.txt	5271F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9AEQXBK6.txt	5271F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\NG4DSQI7.txt	5271F.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DHG0XPAG.htm	5271F.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	B6891.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	5271F.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\D5NCE641.txt	5271F.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	5271F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecisionTime = 908a7fe84975da01	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecision = "0"	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\16-f8-d9-9c-85-99	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	5271F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecisionReason = "1"	5271F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	5271F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	5271F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}	5271F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadNetworkName = "Network 3"	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecision = "0"	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	5271F.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecisionReason = "1"	5271F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecisionTime = 908a7fe84975da01	5271F.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	5271F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	5271F.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	5271F.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	5271F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	5271F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	5271F.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2008	c5fb97c0fa459da1a9ab16c4a144addc.exe
1512	B6891.exe
3044	B6891.exe
2380	5271F.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1512	2008	c5fb97c0fa459da1a9ab16c4a144addc.exe	28
PID 2008 wrote to memory of 1512	2008	c5fb97c0fa459da1a9ab16c4a144addc.exe	28
PID 2008 wrote to memory of 1512	2008	c5fb97c0fa459da1a9ab16c4a144addc.exe	28
PID 2008 wrote to memory of 1512	2008	c5fb97c0fa459da1a9ab16c4a144addc.exe	28
PID 1512 wrote to memory of 2196	1512	B6891.exe	29
PID 1512 wrote to memory of 2196	1512	B6891.exe	29
PID 1512 wrote to memory of 2196	1512	B6891.exe	29
PID 1512 wrote to memory of 2196	1512	B6891.exe	29
PID 1512 wrote to memory of 2696	1512	B6891.exe	32
PID 1512 wrote to memory of 2696	1512	B6891.exe	32
PID 1512 wrote to memory of 2696	1512	B6891.exe	32
PID 1512 wrote to memory of 2696	1512	B6891.exe	32
PID 2196 wrote to memory of 2684	2196	cmd.exe	31
PID 2196 wrote to memory of 2684	2196	cmd.exe	31
PID 2196 wrote to memory of 2684	2196	cmd.exe	31
PID 2196 wrote to memory of 2684	2196	cmd.exe	31
PID 2684 wrote to memory of 2588	2684	net.exe	34
PID 2684 wrote to memory of 2588	2684	net.exe	34
PID 2684 wrote to memory of 2588	2684	net.exe	34
PID 2684 wrote to memory of 2588	2684	net.exe	34
PID 2696 wrote to memory of 2568	2696	cmd.exe	35
PID 2696 wrote to memory of 2568	2696	cmd.exe	35
PID 2696 wrote to memory of 2568	2696	cmd.exe	35
PID 2696 wrote to memory of 2568	2696	cmd.exe	35
PID 2568 wrote to memory of 2980	2568	net.exe	37
PID 2568 wrote to memory of 2980	2568	net.exe	37
PID 2568 wrote to memory of 2980	2568	net.exe	37
PID 2568 wrote to memory of 2980	2568	net.exe	37
PID 3044 wrote to memory of 2824	3044	B6891.exe	38
PID 3044 wrote to memory of 2824	3044	B6891.exe	38
PID 3044 wrote to memory of 2824	3044	B6891.exe	38
PID 3044 wrote to memory of 2824	3044	B6891.exe	38
PID 2824 wrote to memory of 2800	2824	cmd.exe	40
PID 2824 wrote to memory of 2800	2824	cmd.exe	40
PID 2824 wrote to memory of 2800	2824	cmd.exe	40
PID 2824 wrote to memory of 2800	2824	cmd.exe	40
PID 2800 wrote to memory of 2488	2800	net.exe	41
PID 2800 wrote to memory of 2488	2800	net.exe	41
PID 2800 wrote to memory of 2488	2800	net.exe	41
PID 2800 wrote to memory of 2488	2800	net.exe	41
PID 3044 wrote to memory of 2380	3044	B6891.exe	42
PID 3044 wrote to memory of 2380	3044	B6891.exe	42
PID 3044 wrote to memory of 2380	3044	B6891.exe	42
PID 3044 wrote to memory of 2380	3044	B6891.exe	42

C:\Users\Admin\AppData\Local\Temp\c5fb97c0fa459da1a9ab16c4a144addc.exe
"C:\Users\Admin\AppData\Local\Temp\c5fb97c0fa459da1a9ab16c4a144addc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\B6891.exe
  C:\Windows\system32\B6891.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start B6891"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\net.exe
      net start B6891
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start B6891
        5⤵
        
        PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start B6891"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\net.exe
      net start B6891
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start B6891
        5⤵
        
        PID:2980

C:\Windows\SysWOW64\B6891.exe
C:\Windows\SysWOW64\B6891.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start B6891"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\net.exe
    net start B6891
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start B6891
      4⤵
      PID:2488
- C:\Windows\SysWOW64\5271F.exe
  C:\Windows\system32\5271F.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\5271F.exe

Filesize
96KB

MD5
50adb0eddab3b24e269499d4b173a706

SHA1
447f21baa948fed847058f85da42d4fb0529a216

SHA256
8010df7310b4bfe8425e12ee78c6595ed8d3de091f84759400700e230fd2a435

SHA512
2022ed8720a643fa444580f4b2ad0c585cf2120acf396a621fa134a0731eb8cb4ff4f4b3aa13c06363aaca251ebc6a85b2834ad9ba456ef171330fa48152ded9

Download Submit
\Windows\SysWOW64\B6891.exe

Filesize
92KB

MD5
c5fb97c0fa459da1a9ab16c4a144addc

SHA1
d2013fea538b06778f6c9435f6bb1c4e8dbdbe40

SHA256
179b0d92f606837c090a53cf997b88d7da8f7c349d12470ef247932217d63527

SHA512
8bfdc830e638f10ef5dc6f0fc4b65a0f0cf1d64c1ce97812af72a93ea61e6a1e484e00a00f160075180c393b4c810e21ad1e8f992362e32e15e325f6007c45c5

Download Submit
memory/1512-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-14-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2008-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2008-6-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/2008-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-22-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3044-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download