3a8ea2fa0d4e97188e2ad8aae575c3c7a95cf16d4d4903e1fb9b73d7459abbb8

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 04:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca818aea3dd2279856aeff636dd1232a.exe
Size

2.5MB
MD5

ca818aea3dd2279856aeff636dd1232a
SHA1

a1a2eb56612c92eae0b46af7f01067193d40dd0b
SHA256

3a8ea2fa0d4e97188e2ad8aae575c3c7a95cf16d4d4903e1fb9b73d7459abbb8
SHA512

870349c7451f0668e8849039e0afa4e1b35d3657ccc32e8f3d24f87dfd525a4f54b46f4dbf3f285fdbaac806fd93c9533165d74595d549bffe84f68d92128be6
SSDEEP

49152:5UUWLPMGyxBsliDJrqIB2xo6W9ELsTdxDIH0xsMjaSdU8UkqONFJbZDST2dQEZ82:5UJLP4IliV666W9ELsTdFIHojRb51nJD

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3060	a.exe
2512	irsetup.exe
2720	aaaaaa.exe
3064	b.exe
1660	a.exe

Loads dropped DLL 14 IoCs

pid	Process
1812	ca818aea3dd2279856aeff636dd1232a.exe
3060	a.exe
2512	irsetup.exe
2512	irsetup.exe
2512	irsetup.exe
2512	irsetup.exe
2512	irsetup.exe
2720	aaaaaa.exe
2492	cmd.exe
2492	cmd.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-14-0x0000000001D00000-0x0000000001E3D000-memory.dmp	upx
behavioral1/files/0x00080000000149ea-11.dat	upx
behavioral1/memory/2512-16-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral1/memory/2512-49-0x0000000000400000-0x000000000053D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	a.exe
File opened (read-only)	\??\O:	a.exe
File opened (read-only)	\??\Q:	a.exe
File opened (read-only)	\??\S:	a.exe
File opened (read-only)	\??\A:	a.exe
File opened (read-only)	\??\B:	a.exe
File opened (read-only)	\??\E:	a.exe
File opened (read-only)	\??\I:	a.exe
File opened (read-only)	\??\T:	a.exe
File opened (read-only)	\??\V:	a.exe
File opened (read-only)	\??\W:	a.exe
File opened (read-only)	\??\H:	a.exe
File opened (read-only)	\??\J:	a.exe
File opened (read-only)	\??\L:	a.exe
File opened (read-only)	\??\N:	a.exe
File opened (read-only)	\??\P:	a.exe
File opened (read-only)	\??\X:	a.exe
File opened (read-only)	\??\Y:	a.exe
File opened (read-only)	\??\Z:	a.exe
File opened (read-only)	\??\G:	a.exe
File opened (read-only)	\??\M:	a.exe
File opened (read-only)	\??\R:	a.exe
File opened (read-only)	\??\U:	a.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\drivers\W32X86\3\__tmp_rar_sfx_access_check_259398992	b.exe
File created	C:\WINDOWS\SysWOW64\COMDLG32.OCX	irsetup.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\CMD.bat	b.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\config\a.dll	b.exe
File created	C:\WINDOWS\SysWOW64\a.exe	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\b.exe	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\glxpbuttonz.ocx	irsetup.exe
File opened for modification	C:\WINDOWS\SysWOW64\COMDLG32.OCX	irsetup.exe
File opened for modification	C:\WINDOWS\SysWOW64\gambar to byte.exe	aaaaaa.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\a.exe	b.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\CMD.bat	b.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_259397885	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\a.exe	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\d3dx9_42.dll	irsetup.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_259398727	aaaaaa.exe
File opened for modification	C:\WINDOWS\SysWOW64\GifViewer.ocx	irsetup.exe
File opened for modification	C:\WINDOWS\System32\spool\drivers\w32x86\3	b.exe
File created	C:\WINDOWS\SysWOW64\aaaaaa.exe	irsetup.exe
File created	C:\WINDOWS\SysWOW64\GifViewer.ocx	irsetup.exe
File created	C:\WINDOWS\SysWOW64\glxpbuttonz.ocx	irsetup.exe
File created	C:\WINDOWS\SysWOW64\d3dx9_42.dll	irsetup.exe
File created	C:\WINDOWS\SysWOW64\gambar to byte.exe	aaaaaa.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\config	b.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\a.exe	b.exe
File created	C:\WINDOWS\SysWOW64\b.exe	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\aaaaaa.exe	irsetup.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\config\a.dll	b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ = "glxpbuttonz.UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid\ = "{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "__UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR\ = "C:\\Windows\\system32"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\FLAGS\ = "2"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\FLAGS	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\1	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\ = "glxpbuttonz.UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID\ = "glxpbuttonz.UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\VERSION\ = "1.0"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Control	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\Version = "1.0"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\Version = "1.0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx, 30000"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\1\ = "131473"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\ = "glxpbuttonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\ = "0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\InprocServer32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\InprocServer32	a.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe
1660	a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2512	irsetup.exe
2512	irsetup.exe
1660	a.exe
1660	a.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 1812 wrote to memory of 3060	1812	ca818aea3dd2279856aeff636dd1232a.exe	28
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 3060 wrote to memory of 2512	3060	a.exe	29
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2512 wrote to memory of 2720	2512	irsetup.exe	30
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 2720 wrote to memory of 3064	2720	aaaaaa.exe	31
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 3064 wrote to memory of 2492	3064	b.exe	32
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34
PID 2492 wrote to memory of 1660	2492	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\ca818aea3dd2279856aeff636dd1232a.exe
"C:\Users\Admin\AppData\Local\Temp\ca818aea3dd2279856aeff636dd1232a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\WINDOWS\SysWOW64\a.exe
  "C:\WINDOWS\System32\a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    __IRAOFF:542221 "__IRAFN:C:\WINDOWS\SysWOW64\a.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\WINDOWS\SysWOW64\aaaaaa.exe
      "C:\WINDOWS\system32\aaaaaa.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\WINDOWS\SysWOW64\b.exe
        
        "C:\WINDOWS\System32\b.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\WINDOWS\SysWOW64\cmd.exe
        
        cmd /c ""C:\WINDOWS\System32\spool\drivers\w32x86\3\CMD.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\WINDOWS\System32\spool\drivers\w32x86\3\a.exe
        
        A.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1660

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\b.exe

Filesize
796KB

MD5
321497c2424ac35d4b6ca5a904010ec4

SHA1
d516fd0cdc258facfa194d585eeab49417128f0a

SHA256
c56be98033e609dab444aeba5ec5de5140974fca56328825506fa4cb8cbf26b3

SHA512
3727f8644b2dad9e1d5a217baa0723f511e3e1a8a964bfadf714fdaf1234cdcac5b95b38869f61620613ff2dff911f60d6db3149915a7ba2569563d0df868779

Download Submit
C:\WINDOWS\System32\spool\drivers\w32x86\3\config\a.dll

Filesize
611KB

MD5
ae1b8f387986c780f6c5eea3175548c7

SHA1
d386930099553af5925cff75dd461073e872f87e

SHA256
a8d7f089f3e436aa68d0a308b56d8b84adb40c829df0e1737b7c710f8768fb5f

SHA512
216e641dbe0e31066184992dcac787d4f78e008a612b503e0620e9438a2e7f27304b43175560f3d085b3e83a269c0f5a5011a075f6340a194ffbcd790374be8c

Download Submit
C:\Windows\SysWOW64\glxpbuttonz.ocx

Filesize
108KB

MD5
455812a36b41a4ce537589ebd1410111

SHA1
6a7872729d72f4fe8bc979846237d25436deec11

SHA256
86711c5044f2659c31cc8455bae9f3f361e821bb97d45cac0c2d880d23c45026

SHA512
e2810e09e24564027d1e35a5c5d08b514d914b7e7a3551bc5098bd98e270207d5ab2a162d9dc42fec89809a217d1d35fa724e5668a9fdb45b897d61909df9825

Download Submit
C:\Windows\System32\spool\drivers\W32X86\3\CMD.bat

Filesize
2KB

MD5
759354cc8c22275b01e52eba0c2bcfbe

SHA1
f1882afc599aeea1840a9dfe30780a98f87a56f5

SHA256
8264db5b30727016fddc035cbb76b2c5781a8de115e21b7f1f867eae02342af5

SHA512
5600ba4bdee9800cfceb7e14f805cb051d6fffdd4b5651fc762fd8677855e29d8b76eead0541afdfdd3b31df3d431f0f33110de5c946dfdb2346dc920a63f7d7

Download Submit
C:\Windows\System32\spool\drivers\W32X86\3\a.exe

Filesize
1.2MB

MD5
daac0c6d9bf7b1f94c068740d676c581

SHA1
fe1d184b5ac0de87e474efef729e85fbc9765050

SHA256
3eb25577eb48f63ed97182709b395f35a318d7daaa1e3c76da34fbfe12041027

SHA512
8f6547f27b569ae296b32e1ed8423a85082840efc67118a9c44fbc637bdfac6154f5caa3a1af690f9118bb55c6e1ca5034946f4ed860cb899c50c38176e327dd

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
461KB

MD5
1c58b6ee4cb9561e81095b76656a2ef9

SHA1
1a7a7b05f97aa0d5280e423f5712a71d26a7c724

SHA256
f3361c6d49a75c7a7d6a1cba252d5ca4a178ee69b7a07e1fa2ed28820f6b7cc7

SHA512
106cbdb37d592b4586c206981e44f928e875c7497471f55031ebf7de0aaa0ace09e7fa028fc31a34aa6822415b068a91b4f3f297c7216171d07f6a50b9eadbf1

Download Submit
\Windows\SysWOW64\a.exe

Filesize
1.7MB

MD5
9dc76117fe9b4e6ae96b8fef396356c6

SHA1
29632ac44921f203cf04ae02325c4d681c9008a0

SHA256
19bebd9a50bae84662903685f7c76e81898106d7d1ddfe91107cac7f17f50c92

SHA512
b2c91e0e068a39b4615c113a6e1b9b8c7872af2d6c740895e4158cdcc24101d49ae1f560a03cd90c9e4faf1d179c766fd0cca36cdd66d72e55f9bcf7c09780a0

Download Submit
\Windows\SysWOW64\aaaaaa.exe

Filesize
94KB

MD5
cea57232bd4368f8b5bff456b2c044e3

SHA1
fc50fc90fab392b301693e4e6adcad46f936aa46

SHA256
ee991ba67bca3139f2d575439ada7bd3f139c1d121f20395f7dd314757b4362b

SHA512
cf95a16a8caacab100694ff2c3bda0537c5b28707745adcd9e2e77c1a0e7b26b9bec8a6cb1dc0c8f33c0473774743cb40db04772574241f8c2fed2120bf80f9e

Download Submit
memory/1660-89-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1660-90-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1660-94-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/1660-95-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/2512-49-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2512-42-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2512-16-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3060-14-0x0000000001D00000-0x0000000001E3D000-memory.dmp

Filesize
1.2MB

Download