dd553e2f43b96763bb55b99960df399fb7f44cb02fd7d1eb82b89bc91632423e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca7e819ec3588ec3855873a92eb10528.exe
Size

468KB
MD5

ca7e819ec3588ec3855873a92eb10528
SHA1

d03a6377af778a751a520d616ceccc6caa78e777
SHA256

dd553e2f43b96763bb55b99960df399fb7f44cb02fd7d1eb82b89bc91632423e
SHA512

39686e09975f004f9a43376bee6f6337c6deb6701b479ac506b17d235114494535fb7748a530a46c4d2f4a68f2afb7fd2de7bb1d445365da51e68c510ba41ff5
SSDEEP

12288:A06ld0/XOW0AVb3uPjl5XthpFN2BNp/OqAo1/S:A0U0P40Dyf9PT2BN0qAS/S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xuXKCQEP.exe

Executes dropped EXE 7 IoCs

pid	Process
2856	xuXKCQEP.exe
2528	toast.exe
2380	toast.exe
2372	voast.exe
2444	voast.exe
1500	woast.exe
336	csrss.exe

Loads dropped DLL 8 IoCs

pid	Process
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe
2888	ca7e819ec3588ec3855873a92eb10528.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /M"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /d"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /e"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /b"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /H"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /l"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /c"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /X"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /f"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /o"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /z"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /g"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /K"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /v"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /m"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /C"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /k"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /S"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /W"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /O"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /B"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /h"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /I"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /q"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Q"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /y"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /p"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /G"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Z"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /U"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /i"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /s"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /F"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /J"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Y"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /P"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /a"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /r"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /R"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /N"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /t"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /j"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /V"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /L"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /D"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /w"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /T"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /E"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /A"	xuXKCQEP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /x"	xuXKCQEP.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2528 set thread context of 2380	2528	toast.exe	31
PID 2372 set thread context of 2444	2372	voast.exe	33
PID 2444 set thread context of 1112	2444	voast.exe	34

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "30348"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "7795644877337554836"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
1112	explorer.exe
1112	explorer.exe
1112	explorer.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2380	toast.exe
2380	toast.exe
2856	xuXKCQEP.exe
2380	toast.exe
2856	xuXKCQEP.exe
2856	xuXKCQEP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2888	ca7e819ec3588ec3855873a92eb10528.exe
2856	xuXKCQEP.exe
1500	woast.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2684 wrote to memory of 2888	2684	ca7e819ec3588ec3855873a92eb10528.exe	28
PID 2888 wrote to memory of 2856	2888	ca7e819ec3588ec3855873a92eb10528.exe	29
PID 2888 wrote to memory of 2856	2888	ca7e819ec3588ec3855873a92eb10528.exe	29
PID 2888 wrote to memory of 2856	2888	ca7e819ec3588ec3855873a92eb10528.exe	29
PID 2888 wrote to memory of 2856	2888	ca7e819ec3588ec3855873a92eb10528.exe	29
PID 2888 wrote to memory of 2528	2888	ca7e819ec3588ec3855873a92eb10528.exe	30
PID 2888 wrote to memory of 2528	2888	ca7e819ec3588ec3855873a92eb10528.exe	30
PID 2888 wrote to memory of 2528	2888	ca7e819ec3588ec3855873a92eb10528.exe	30
PID 2888 wrote to memory of 2528	2888	ca7e819ec3588ec3855873a92eb10528.exe	30
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2528 wrote to memory of 2380	2528	toast.exe	31
PID 2888 wrote to memory of 2372	2888	ca7e819ec3588ec3855873a92eb10528.exe	32
PID 2888 wrote to memory of 2372	2888	ca7e819ec3588ec3855873a92eb10528.exe	32
PID 2888 wrote to memory of 2372	2888	ca7e819ec3588ec3855873a92eb10528.exe	32
PID 2888 wrote to memory of 2372	2888	ca7e819ec3588ec3855873a92eb10528.exe	32
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2372 wrote to memory of 2444	2372	voast.exe	33
PID 2444 wrote to memory of 1112	2444	voast.exe	34
PID 2444 wrote to memory of 1112	2444	voast.exe	34
PID 2444 wrote to memory of 1112	2444	voast.exe	34
PID 2444 wrote to memory of 1112	2444	voast.exe	34
PID 2444 wrote to memory of 1112	2444	voast.exe	34
PID 2888 wrote to memory of 1500	2888	ca7e819ec3588ec3855873a92eb10528.exe	35
PID 2888 wrote to memory of 1500	2888	ca7e819ec3588ec3855873a92eb10528.exe	35
PID 2888 wrote to memory of 1500	2888	ca7e819ec3588ec3855873a92eb10528.exe	35
PID 2888 wrote to memory of 1500	2888	ca7e819ec3588ec3855873a92eb10528.exe	35
PID 1112 wrote to memory of 336	1112	explorer.exe	2
PID 336 wrote to memory of 1972	336	csrss.exe	36
PID 336 wrote to memory of 1972	336	csrss.exe	36
PID 336 wrote to memory of 1932	336	csrss.exe	37
PID 336 wrote to memory of 1932	336	csrss.exe	37

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\ca7e819ec3588ec3855873a92eb10528.exe
"C:\Users\Admin\AppData\Local\Temp\ca7e819ec3588ec3855873a92eb10528.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\ca7e819ec3588ec3855873a92eb10528.exe
  ca7e819ec3588ec3855873a92eb10528.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\xuXKCQEP.exe
    C:\Users\Admin\xuXKCQEP.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Users\Admin\toast.exe
    C:\Users\Admin\toast.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\toast.exe
      toast.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2380
- - C:\Users\Admin\voast.exe
    C:\Users\Admin\voast.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\voast.exe
      voast.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\explorer.exe
        
        0000003C*
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
- - C:\Users\Admin\woast.exe
    C:\Users\Admin\woast.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1500

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1972

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
1812577ddfa736694a8dbad896d329d7

SHA1
a6831421aa2c04b93078df35d4bd2eed62985060

SHA256
c9173337e91ef6a59658dd60f713517eddd8cb43196dcc970266cbc12c33d5df

SHA512
d470c44c8e969b182dae8b2451075b525a9f1fc349737db19966581cb76289b1cac00cf6b7920c53959aaaedabd47385acc6b74dce2cc8f6a54a5ed882901d34

Download Submit
\Users\Admin\toast.exe

Filesize
152KB

MD5
b6d3a09df822fcf55b889b57c5ad799e

SHA1
dc44a91e89534819dcb18d18a42e2c0d3d3b649f

SHA256
83f8d74aa948dc8569f2f44174eb4da6e3bf0d6ef9293c8a92d882c2fda0e07c

SHA512
a7330d31a38361f41ae8385ff0541455fd098e874a29b0e8de3c92800fbe4ad2aa8a7a0374482d0e8a8db3363ca2e86c60216b9406eb306fe061bfde8086ebf1

Download Submit
\Users\Admin\voast.exe

Filesize
242KB

MD5
dc6332b873df679e69e099579c8bc22d

SHA1
0341ad78eff722fae4142aa1da9e4be0116569f9

SHA256
8c95e0048da1c72815701a5bb8000023b96433ad05e63e568ee28246c153ab04

SHA512
a6d9966765ede960b5f3929a61337d5582e40fae12cf5176dad9ec1ab608f4d73481ab1cc0ba168e162039fd3aabd75ceb16966b38999d9f71af2a5354fb7376

Download Submit
\Users\Admin\woast.exe

Filesize
24KB

MD5
f29656c436f7a25b63fe325b01a86a95

SHA1
148fe98b4901aaf454118c89ec71f4d36bed05bc

SHA256
1cc6a49d67f8f63801d0ffa3722f96405995e9f30958e5a368589591583932de

SHA512
d4eae9c9e02a1887ca30cd1750e73ade9d071594017e6d0d1cead2eff9c418b327752525fac130356d2454325e58ae54e24dd246784f15481ba2c01db7d097e7

Download Submit
\Users\Admin\xuXKCQEP.exe

Filesize
156KB

MD5
35362b609d4c80aa54977dd3c34f71a1

SHA1
0f561d1d9aa9543d1e9f759b90f6ff6f8b18dd89

SHA256
5c3e9c19f2015acdfda9921a68d6822348d4f82b6b1d12d248264d1361d72ca9

SHA512
e96bc0bb4cea72ad7fa55af13a48e4d16c43b66238e663247db93a977d7f926241cae8a3672334cbe10ada0934401472e483d4067ace1358409068984949e9cb

Download Submit
memory/336-126-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1112-94-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/1112-96-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download
memory/2372-92-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2380-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-54-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2380-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2444-91-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-93-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-73-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-81-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-83-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2444-85-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2528-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2684-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2888-15-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2888-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2888-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-10-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2888-2-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2888-4-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download