3a8ea2fa0d4e97188e2ad8aae575c3c7a95cf16d4d4903e1fb9b73d7459abbb8

Analysis

max time kernel
210s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca818aea3dd2279856aeff636dd1232a.exe
Size

2.5MB
MD5

ca818aea3dd2279856aeff636dd1232a
SHA1

a1a2eb56612c92eae0b46af7f01067193d40dd0b
SHA256

3a8ea2fa0d4e97188e2ad8aae575c3c7a95cf16d4d4903e1fb9b73d7459abbb8
SHA512

870349c7451f0668e8849039e0afa4e1b35d3657ccc32e8f3d24f87dfd525a4f54b46f4dbf3f285fdbaac806fd93c9533165d74595d549bffe84f68d92128be6
SSDEEP

49152:5UUWLPMGyxBsliDJrqIB2xo6W9ELsTdxDIH0xsMjaSdU8UkqONFJbZDST2dQEZ82:5UJLP4IliV666W9ELsTdFIHojRb51nJD

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	ca818aea3dd2279856aeff636dd1232a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	aaaaaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	b.exe

Executes dropped EXE 5 IoCs

pid	Process
3236	a.exe
400	irsetup.exe
2900	aaaaaa.exe
3784	b.exe
1636	a.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	a.exe
1636	a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002320e-16.dat	upx
behavioral2/memory/400-18-0x0000000000400000-0x000000000053D000-memory.dmp	upx
behavioral2/memory/400-47-0x0000000000400000-0x000000000053D000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	a.exe
File opened (read-only)	\??\Z:	a.exe
File opened (read-only)	\??\B:	a.exe
File opened (read-only)	\??\G:	a.exe
File opened (read-only)	\??\N:	a.exe
File opened (read-only)	\??\O:	a.exe
File opened (read-only)	\??\P:	a.exe
File opened (read-only)	\??\T:	a.exe
File opened (read-only)	\??\W:	a.exe
File opened (read-only)	\??\H:	a.exe
File opened (read-only)	\??\I:	a.exe
File opened (read-only)	\??\K:	a.exe
File opened (read-only)	\??\M:	a.exe
File opened (read-only)	\??\R:	a.exe
File opened (read-only)	\??\S:	a.exe
File opened (read-only)	\??\U:	a.exe
File opened (read-only)	\??\Y:	a.exe
File opened (read-only)	\??\E:	a.exe
File opened (read-only)	\??\J:	a.exe
File opened (read-only)	\??\L:	a.exe
File opened (read-only)	\??\Q:	a.exe
File opened (read-only)	\??\V:	a.exe
File opened (read-only)	\??\X:	a.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\config\a.dll	b.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240704671	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\aaaaaa.exe	irsetup.exe
File created	C:\WINDOWS\SysWOW64\aaaaaa.exe	irsetup.exe
File opened for modification	C:\WINDOWS\SysWOW64\GifViewer.ocx	irsetup.exe
File created	C:\WINDOWS\SysWOW64\GifViewer.ocx	irsetup.exe
File created	C:\WINDOWS\SysWOW64\gambar to byte.exe	aaaaaa.exe
File opened for modification	C:\WINDOWS\SysWOW64\a.exe	ca818aea3dd2279856aeff636dd1232a.exe
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240712906	aaaaaa.exe
File opened for modification	C:\WINDOWS\SysWOW64\gambar to byte.exe	aaaaaa.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\config	b.exe
File created	C:\WINDOWS\SysWOW64\b.exe	ca818aea3dd2279856aeff636dd1232a.exe
File created	C:\WINDOWS\SysWOW64\glxpbuttonz.ocx	irsetup.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\a.exe	b.exe
File opened for modification	C:\WINDOWS\SysWOW64\glxpbuttonz.ocx	irsetup.exe
File opened for modification	C:\WINDOWS\SysWOW64\COMDLG32.OCX	irsetup.exe
File created	C:\WINDOWS\SysWOW64\a.exe	ca818aea3dd2279856aeff636dd1232a.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\config\a.dll	b.exe
File opened for modification	C:\WINDOWS\SysWOW64\b.exe	ca818aea3dd2279856aeff636dd1232a.exe
File opened for modification	C:\WINDOWS\SysWOW64\d3dx9_42.dll	irsetup.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\a.exe	b.exe
File opened for modification	C:\Windows\System32\spool\drivers\W32X86\3\CMD.bat	b.exe
File created	C:\WINDOWS\SysWOW64\COMDLG32.OCX	irsetup.exe
File created	C:\WINDOWS\SysWOW64\d3dx9_42.dll	irsetup.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\__tmp_rar_sfx_access_check_240719937	b.exe
File created	C:\Windows\System32\spool\drivers\W32X86\3\CMD.bat	b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Control\	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\1\ = "131473"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "_UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\1	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\ = "glxpbuttonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR\ = "C:\\Windows\\SYSTEM32"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\VERSION	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\ = "glxpbuttonz.UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid\ = "{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\MiscStatus\ = "0"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx, 30000"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\InprocServer32\ = "C:\\Windows\\SysWow64\\glxpbuttonz.ocx"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\0\win32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Control	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\VERSION\ = "1.0"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\ = "{E3583FCE-0595-4681-9ACD-48F7805DEFE1}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ProgID\ = "glxpbuttonz.UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ = "glxpbuttonz.UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz\Clsid	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\InprocServer32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E3583FCE-0595-4681-9ACD-48F7805DEFE1}\1.0\HELPDIR	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\TypeLib\Version = "1.0"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\ = "UserButtonz"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\glxpbuttonz.UserButtonz	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ = "__UserButtonz"	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B78F3AA-5862-42FC-83A0-A6969DC0B60D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\ToolboxBitmap32	a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8ED08C53-BB00-4B9A-8037-D38D22FF4B7A}\TypeLib	a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0EBC7EC4-ED41-49C7-86B7-9F63E8B28C89}\TypeLib\Version = "1.0"	a.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1636	a.exe
Token: SeCreatePagefilePrivilege	1636	a.exe
Token: SeShutdownPrivilege	1636	a.exe
Token: SeCreatePagefilePrivilege	1636	a.exe
Token: 33	4772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4772	AUDIODG.EXE
Token: SeShutdownPrivilege	1636	a.exe
Token: SeCreatePagefilePrivilege	1636	a.exe
Token: SeShutdownPrivilege	1636	a.exe
Token: SeCreatePagefilePrivilege	1636	a.exe
Token: SeShutdownPrivilege	1636	a.exe
Token: SeCreatePagefilePrivilege	1636	a.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe
1636	a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
400	irsetup.exe
400	irsetup.exe
1636	a.exe
1636	a.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3236	452	ca818aea3dd2279856aeff636dd1232a.exe	92
PID 452 wrote to memory of 3236	452	ca818aea3dd2279856aeff636dd1232a.exe	92
PID 452 wrote to memory of 3236	452	ca818aea3dd2279856aeff636dd1232a.exe	92
PID 3236 wrote to memory of 400	3236	a.exe	93
PID 3236 wrote to memory of 400	3236	a.exe	93
PID 3236 wrote to memory of 400	3236	a.exe	93
PID 400 wrote to memory of 2900	400	irsetup.exe	95
PID 400 wrote to memory of 2900	400	irsetup.exe	95
PID 400 wrote to memory of 2900	400	irsetup.exe	95
PID 2900 wrote to memory of 3784	2900	aaaaaa.exe	96
PID 2900 wrote to memory of 3784	2900	aaaaaa.exe	96
PID 2900 wrote to memory of 3784	2900	aaaaaa.exe	96
PID 3784 wrote to memory of 3348	3784	b.exe	98
PID 3784 wrote to memory of 3348	3784	b.exe	98
PID 3784 wrote to memory of 3348	3784	b.exe	98
PID 3348 wrote to memory of 1636	3348	cmd.exe	105
PID 3348 wrote to memory of 1636	3348	cmd.exe	105
PID 3348 wrote to memory of 1636	3348	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\ca818aea3dd2279856aeff636dd1232a.exe
"C:\Users\Admin\AppData\Local\Temp\ca818aea3dd2279856aeff636dd1232a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:452
- C:\WINDOWS\SysWOW64\a.exe
  "C:\WINDOWS\System32\a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    __IRAOFF:542221 "__IRAFN:C:\WINDOWS\SysWOW64\a.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\WINDOWS\SysWOW64\aaaaaa.exe
      "C:\WINDOWS\system32\aaaaaa.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\WINDOWS\SysWOW64\b.exe
        
        "C:\WINDOWS\System32\b.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\System32\spool\drivers\w32x86\3\CMD.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\WINDOWS\System32\spool\drivers\w32x86\3\a.exe
        
        A.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
67cf5c5972bf6e989651110613d6af00

SHA1
8dfbfc264d06b40a81d3dc7b0c20f92c9a8d28df

SHA256
ebdcba47b21ae12de7bb6c1f09f218297aeb5d3ed3da2549cd937041d2964f25

SHA512
52b4f9140f96e1619633ba6ed40cec2e8b166ec64411c1bc55dfadd161102930acbb71cd9613fe8203ca6cc51050965ab792683280669462c2c099103c533104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
461KB

MD5
1c58b6ee4cb9561e81095b76656a2ef9

SHA1
1a7a7b05f97aa0d5280e423f5712a71d26a7c724

SHA256
f3361c6d49a75c7a7d6a1cba252d5ca4a178ee69b7a07e1fa2ed28820f6b7cc7

SHA512
106cbdb37d592b4586c206981e44f928e875c7497471f55031ebf7de0aaa0ace09e7fa028fc31a34aa6822415b068a91b4f3f297c7216171d07f6a50b9eadbf1

Download Submit
C:\WINDOWS\SysWOW64\b.exe

Filesize
796KB

MD5
321497c2424ac35d4b6ca5a904010ec4

SHA1
d516fd0cdc258facfa194d585eeab49417128f0a

SHA256
c56be98033e609dab444aeba5ec5de5140974fca56328825506fa4cb8cbf26b3

SHA512
3727f8644b2dad9e1d5a217baa0723f511e3e1a8a964bfadf714fdaf1234cdcac5b95b38869f61620613ff2dff911f60d6db3149915a7ba2569563d0df868779

Download Submit
C:\WINDOWS\System32\spool\drivers\w32x86\3\CMD.bat

Filesize
2KB

MD5
759354cc8c22275b01e52eba0c2bcfbe

SHA1
f1882afc599aeea1840a9dfe30780a98f87a56f5

SHA256
8264db5b30727016fddc035cbb76b2c5781a8de115e21b7f1f867eae02342af5

SHA512
5600ba4bdee9800cfceb7e14f805cb051d6fffdd4b5651fc762fd8677855e29d8b76eead0541afdfdd3b31df3d431f0f33110de5c946dfdb2346dc920a63f7d7

Download Submit
C:\WINDOWS\System32\spool\drivers\w32x86\3\a.exe

Filesize
256KB

MD5
fe3ca797e99a1c782d7b9458391d6082

SHA1
7602bd5407bc21dd7dc3c97498e1fa652018f87a

SHA256
6da7dcab112f7baaaa0a31ebd7a7c4f914288209e0109d450dfa7cc149464e79

SHA512
9de95f2e9f9ebd60bc492bf74f07b471204b8a91d492a928be236ac07f9dae0a1ca555ecac0931b2606180369755be32e9c4f93e26c7a44574c2d6d9fee98ccd

Download Submit
C:\WINDOWS\System32\spool\drivers\w32x86\3\config\a.dll

Filesize
611KB

MD5
ae1b8f387986c780f6c5eea3175548c7

SHA1
d386930099553af5925cff75dd461073e872f87e

SHA256
a8d7f089f3e436aa68d0a308b56d8b84adb40c829df0e1737b7c710f8768fb5f

SHA512
216e641dbe0e31066184992dcac787d4f78e008a612b503e0620e9438a2e7f27304b43175560f3d085b3e83a269c0f5a5011a075f6340a194ffbcd790374be8c

Download Submit
C:\Windows\SysWOW64\a.exe

Filesize
1.7MB

MD5
9dc76117fe9b4e6ae96b8fef396356c6

SHA1
29632ac44921f203cf04ae02325c4d681c9008a0

SHA256
19bebd9a50bae84662903685f7c76e81898106d7d1ddfe91107cac7f17f50c92

SHA512
b2c91e0e068a39b4615c113a6e1b9b8c7872af2d6c740895e4158cdcc24101d49ae1f560a03cd90c9e4faf1d179c766fd0cca36cdd66d72e55f9bcf7c09780a0

Download Submit
C:\Windows\SysWOW64\a.exe

Filesize
192KB

MD5
4e203684bb201e0bc12ac705a1e7c774

SHA1
868d7ecb2998dc6ae51ba9641d235d96a2033066

SHA256
577051118e4343ea10120bd58ada8abb055280d4844096cb732048929b88bb96

SHA512
91ad200e9790275b97f88c95ff3857e8a73263652abe98af3b240db5374d5009be40b5bcb84dfaafb511b7240038cd6cd9e5e02090f04215c415181c7a72629f

Download Submit
C:\Windows\SysWOW64\aaaaaa.exe

Filesize
94KB

MD5
cea57232bd4368f8b5bff456b2c044e3

SHA1
fc50fc90fab392b301693e4e6adcad46f936aa46

SHA256
ee991ba67bca3139f2d575439ada7bd3f139c1d121f20395f7dd314757b4362b

SHA512
cf95a16a8caacab100694ff2c3bda0537c5b28707745adcd9e2e77c1a0e7b26b9bec8a6cb1dc0c8f33c0473774743cb40db04772574241f8c2fed2120bf80f9e

Download Submit
C:\Windows\SysWOW64\glxpbuttonz.ocx

Filesize
108KB

MD5
455812a36b41a4ce537589ebd1410111

SHA1
6a7872729d72f4fe8bc979846237d25436deec11

SHA256
86711c5044f2659c31cc8455bae9f3f361e821bb97d45cac0c2d880d23c45026

SHA512
e2810e09e24564027d1e35a5c5d08b514d914b7e7a3551bc5098bd98e270207d5ab2a162d9dc42fec89809a217d1d35fa724e5668a9fdb45b897d61909df9825

Download Submit
C:\Windows\System32\spool\drivers\W32X86\3\a.exe

Filesize
512KB

MD5
a42582534a841b733b32e237b106c8b3

SHA1
d3460ff4ab9aaf69f4bf01edd01afe659771b634

SHA256
df3eeeb4e09fbaef90c683579cd2ed4edb400fcd4e51b5f3cc9507f42d4c68ec

SHA512
7b3186abf38d8730d6d6f3e52bd7f58f8fcadba2a9451a57bddb42e424f9dde096e7d903b964bd6f3bb76bfeaaf9dd22619473559ba91deaf92e85fa37f3fb55

Download Submit
memory/400-47-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/400-18-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1636-71-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/1636-72-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads