Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 19:31
Static task
static1
General
-
Target
48cfb10b88080f7bc8f30d6390781f0b.exe
-
Size
629KB
-
MD5
48cfb10b88080f7bc8f30d6390781f0b
-
SHA1
7cc45fe067b15648dcf58508d540e97b49a408d1
-
SHA256
a5189a7fc6e08c9a0a833d27e158a67b582ebb842d254c03d5c84186c9f78ea7
-
SHA512
8b3b79dbb2524b09f0943ee7b08077f15421bc0e65e532baad88df0ff7657164705fdfc575615cbb05a166be4903ff11eab56f6e237809e2145d9b0104e0a1d3
-
SSDEEP
12288:TkozRSDSNunH1kFj/gI12rJ7rxnzGQD0KMX016zfR:wozRS+QVkItXNl12es
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4612-0-0x0000000000400000-0x00000000004ED000-memory.dmp family_expiro1 behavioral1/memory/4612-1-0x0000000000400000-0x00000000004ED000-memory.dmp family_expiro1 behavioral1/memory/4612-3-0x0000000000400000-0x00000000004ED000-memory.dmp family_expiro1 behavioral1/memory/4612-120-0x0000000000400000-0x00000000004ED000-memory.dmp family_expiro1 behavioral1/memory/2532-151-0x0000000140000000-0x00000001400D5000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 7 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemsdtc.exemsiexec.exepid process 2532 alg.exe 2324 DiagnosticsHub.StandardCollector.Service.exe 4828 fxssvc.exe 2080 elevation_service.exe 400 elevation_service.exe 2164 msdtc.exe 2444 msiexec.exe -
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-557049126-2506969350-2798870634-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-557049126-2506969350-2798870634-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
48cfb10b88080f7bc8f30d6390781f0b.exealg.exedescription ioc process File opened (read-only) \??\R: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\I: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\J: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\M: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\L: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\Y: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\Z: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\G: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\N: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\W: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\H: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\T: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\U: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\V: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\Q: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\O: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\X: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\S: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\E: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\K: 48cfb10b88080f7bc8f30d6390781f0b.exe File opened (read-only) \??\P: 48cfb10b88080f7bc8f30d6390781f0b.exe -
Drops file in System32 directory 64 IoCs
Processes:
48cfb10b88080f7bc8f30d6390781f0b.exealg.exedescription ioc process File opened for modification \??\c:\windows\system32\lsass.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\msiexec.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\ednblpmo.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\vssvc.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\alg.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File created \??\c:\windows\SysWOW64\eldqkdja.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\msdtc.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\system32\locator.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\searchindexer.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\spectrum.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\Agentservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\msdtc.exe alg.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\glmfhlqh.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\qpoijadi.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\svchost.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\jaebkcfc.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\SysWOW64\kjhqngbn.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe File created \??\c:\windows\system32\lgnojlfi.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\egilaajj.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\system32\Agentservice.exe alg.exe File created \??\c:\windows\system32\hedhnkbc.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\snmptrap.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\jakknhjl.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\diagsvcs\plcabcql.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File created \??\c:\windows\system32\gccpppaa.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\eingdeff.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\snmptrap.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\kdaebfod.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\windows\system32\pmkkbplf.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe48cfb10b88080f7bc8f30d6390781f0b.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nccafaqk.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\jkgaipki.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe alg.exe File created \??\c:\program files\windows media player\aeoffchi.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\7-Zip\lncjookl.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\dotnet\pgildlkb.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\occlljkq.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jfjkgccl.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\program files\common files\microsoft shared\source engine\hcjghddk.tmp alg.exe File created C:\Program Files\7-Zip\jgpijieg.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\ddnfppgh.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\hhfjjgab.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\dotnet\dotnet.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File created C:\Program Files\7-Zip\jgpijieg.tmp alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe alg.exe File created C:\Program Files\7-Zip\nccafaqk.tmp alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\mnmjadqg.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\program files (x86)\mozilla maintenance service\cacljkfp.tmp alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gkooamha.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\npmapkkd.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\7-Zip\7z.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\program files\google\chrome\Application\106.0.5249.119\famdlgmb.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\ijijcdfh.tmp 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 48cfb10b88080f7bc8f30d6390781f0b.exe -
Drops file in Windows directory 5 IoCs
Processes:
alg.exemsdtc.exe48cfb10b88080f7bc8f30d6390781f0b.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 48cfb10b88080f7bc8f30d6390781f0b.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 48cfb10b88080f7bc8f30d6390781f0b.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
fxssvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
alg.exepid process 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe 2532 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 672 672 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
48cfb10b88080f7bc8f30d6390781f0b.exefxssvc.exealg.exemsiexec.exedescription pid process Token: SeTakeOwnershipPrivilege 4612 48cfb10b88080f7bc8f30d6390781f0b.exe Token: SeAuditPrivilege 4828 fxssvc.exe Token: SeTakeOwnershipPrivilege 2532 alg.exe Token: SeSecurityPrivilege 2444 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
alg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48cfb10b88080f7bc8f30d6390781f0b.exe"C:\Users\Admin\AppData\Local\Temp\48cfb10b88080f7bc8f30d6390781f0b.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2532
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:536
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2080
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD55677a5cab11dd0ec60124a62b0b7cf6f
SHA147852c0398c0fd3c3cf1395b1664e85547af8966
SHA2569736f1c269a1de191c3a26dd11f4817ccb34bd8f8720bc392b349a40f832d2ac
SHA512d982145de4b2a31fa73539af1ab20c1b2d8ab5b568caf68600a68d3e7aa831a1cb6b008ffceec971263fa7271ee796cdc5db073f02cb176e021a1427605ad31d
-
Filesize
613KB
MD5d296149f6607a6d4c59f5996ba5f6bc1
SHA11b23348c2fd438ffb505095ab86fb5b0599e02bc
SHA256366bec7290dfd151622651823ca5172a9316cd3004107ae5987d121f93152dd2
SHA512b7dbe88168cf7a6fd44f03682ac2f8b4382bfe0903060e792e324bff69af8754406d2c1599c1468b2d1c3863374f87c5d57d61a076bca696f8d8ae209e8a2588
-
Filesize
1.3MB
MD51da9140fe46dbf02aeeadbef122ac293
SHA1946aea98c22242da115e797136d339119e01e5cf
SHA256060b4ebd79937d0390f782806ccc8270366e9f5beb85ff07d7977cc484d4e8eb
SHA512a9a3951b196010b4a73390b7bae247e892e0ff6a6f528ad7f58259feb5198fdbf3592a924d37c7f20feaabf58c343e3599ec131648b478b87e738c00399f3e0a
-
Filesize
410KB
MD56127dff5242fd478d743418c7a1d2fe3
SHA1dab39ca14e6720568040439144e6920c0f82586e
SHA256327e3edec344e57f0097f76f259bb219dce116605baf0226724c67ed43154b6a
SHA512080a49fcfa5ff0065a066334b66345cce1e60001764e8af8a6bbce454869a5c6c0a50840006173ce4ef67e7a7283307fb6e83f2726df9c8ba7aeba127d0c73ab
-
Filesize
672KB
MD5345d36c7c99e8fb08bec29a7a0be528e
SHA121d55e037f39a95fc5627f01b61b6cf21550f907
SHA2567c2c0f6f96e277a5a66ffa0e80daafbc165b88818149e3dce98ebe340f18ee95
SHA5121db84a1976cf4e00cdcecd994390279d76406fb759cc989ce26851dd0686906e3a8d266f6e4266dc7a30cb80a120afc03c9940f30a2210e459659f0a46824750
-
Filesize
4.5MB
MD545e87e143eea0b06c72a715629f63219
SHA13e6ca3422e4e1ae2b155e35f139f7e7d82fd0013
SHA2560f8bb44c3e5ec4547c6942e2f4d663bb86b95f5762fb73362b2f968d455f39d1
SHA512d1e1f44beaf5284022d7eca7a9956c6fd1a46863290b19db4548c35c7c2ade1c7f3ff21841c2f515eb92d2d7713c717c2d44ada3e0a3eb18662ca8405c0995f2
-
Filesize
742KB
MD50b61ed805e778138e4a1b775d77da2fb
SHA1e86cc0ffde93299792fb9ee5ef32f7afdbe04ebd
SHA25666ee4ab7fa88576d64c5d6448dded0d4f96e58d05b34fd2dfb9b07010ca91c35
SHA512b169c5d5b738aecc459f56aea0a2e7096ef8ea9557f5b78500468a7fbfc1c65a94ca28b39ed7431057eb01eb3dfa70de3f45e438f383e7d410f411389944472f
-
Filesize
23.8MB
MD5483110b314b12b1e05f7611a712407e1
SHA16e086f9bd875e0985f852eb2f1a4c108048ea2b3
SHA256d6020a9a6f2e6809e03d37d101a03703c205e42b99d82f838c6227769180ca40
SHA5124ad78b29c957dbaee04362f71854a0af07898f3dc19a0792c5c377f48f92141e17836e90edbdcc3601c6360911a4f50c22b610dff5fddf4e41d2e7252c616b8a
-
Filesize
2.5MB
MD50c0e50e2be48b8323447dcad1504f82a
SHA10352a624b41669c79c4fb054f8d4c9e1ca3f599d
SHA256193f540bf5fe489abe2891ece5b6b8a58874ffad0b93b74dc93fa276befd88a6
SHA512a11a8def9be48f245694c3829cf8cbf59e3d1928110ac3740cadee5172b33c36e300291c75b8bb4eb9b28b803c378fe6e5ed08c4407d3a181d42da30c0e61905
-
Filesize
2.0MB
MD503a4e5b085b98905dd705e22fe4af694
SHA12349a9bb74617eb0a2a904e6e992ea8326441ab0
SHA256547efa996f879f6437dbf015174da160195d42fc4184907d274002b01a003b85
SHA5126552626f2469b82a29903598876cbf698084395f52f947fdc30585bbf04a8e775bd42d2ecd9d575863ced708cdc9de177bb53d32ffe37810956686a1e1bf0fea
-
Filesize
629KB
MD51ee4cfd6cbfeb91870fe13cc625f05aa
SHA1903701ec16ef43bac028fa6042aa2792441cde24
SHA256e377c08fb278a7fd6ccf6ab717c2965ba20d2f17ad0be65484205aaea99b76af
SHA5129aeb933906110d0d9d2c01adb945edd6c2db608e027ff2159a708b06bb548ad987d5781c9618890109632e76edabae0bffc0927110fd993fc87c181bbee8855a
-
Filesize
822KB
MD50c4193f6c6b6fb93efb756190809ea91
SHA1586a0eaaa6b9ac8fdbf4522e214dfebcbf20016a
SHA256be928a9a4ff9f1399cf9218b62070b0f0fdfc98af6f4e55b1186ff0bee370c09
SHA512304ee5e69de5644881988a5720faa796ddbb2b37d7bc5479a1f02c9db98bf330cc868dbbe068fa8ce084de1fa39d959337d034c0e9a560911f44b8a2d8783417
-
Filesize
491KB
MD52c778e8dd83a250b37cac3cf6acbd578
SHA11467c5e32e1676017dfd83abe98f9496e7c24093
SHA256694dea37385b75963b87a9f676789c2ed465b33c5aa5eefbfc543039ad94bd91
SHA512b3e1cef82dccbba2ca2ad1ae0437844ba54ede71ced52aafd52ef90a3625234dbe059b1e2a9fc052cf819c9474d695b214f3b6171c1bff52fb38cdacc42b9342
-
Filesize
1.0MB
MD5030164fae7fe1e6a2e2ebb645360a35d
SHA131d64d514b377b34c7be08b8bf8a007ef6f17874
SHA256852616c2092f6b1b7f6cdb11ab55d875b5c17d4d9b5f6e48def8ce4561d8fcb0
SHA512fb8a34b4d40758c4717d0f22ce55d04ce839a89c8ae67861bd7f52a31f396be87617537797269d6ecadc5bc3ee00c93793624c2fd5d0fd7bf18304109fc06750
-
Filesize
493KB
MD5a9ba811684bd2f956a55b47b3ab268b7
SHA10fdbf1b38908d152c83837f29dae93f84864555b
SHA25644ff45cb7682f37b312d2cb337ddf51c2786c939f20df9f8946565f2348ac3fc
SHA512acdb7a36a9127f3acdeeaf9c4a43d30ce6a1d4d0f47bb2c1cef8780718402ea082ca2b211b5a19bae197e278d8e94800f1a324ecadbfec11cbba6c73de7c4410
-
Filesize
544KB
MD59a1ad88b6deb75b55bf60c6c5926c652
SHA1e5f7aa50220c923362f3a8e7595ecba23c82ee98
SHA25609b4ae39f0d7b4acdd9460faa32c8774e7461aac9ec084d6fd3a5066b6be27e2
SHA512eeefe0a3ef11905dccaccd9ab23c8051eff791d1bf73ad77f335b10519bcc1ce22f026b6d5fbdea8fd3891207a2eefb3447193b9b8447aed736fd224a97a85da
-
Filesize
467KB
MD5d2f88567c8ee1984b5880e2ebcb0ae4b
SHA1e514fa75f729019f0d368f4b9af056ca0a1d6e07
SHA2561841f6ad80b8324529944341cf8e5b767d8ed36cc7c112297c8ddb9f67d6bf0d
SHA51256ebea4a4ee3f9fa45fc3946e9d4187e3292b6ee66b437566b2c7ac4b5d93fa8ce816bd8cc6068c59049a37a8331035e380d0f21cf046632c77db718c9b44904
-
Filesize
5.4MB
MD515c9ce4ceca3281e4b2a3a54c1c4b95c
SHA1ac664fcceca11fd7d7d106701e8f2dc90117f105
SHA2566a34976a801f26fc5def7b8fbead4b2a2cadacfcb5dcc1c541f764d2e1513baa
SHA5127fa7e977377bca6fbca0f2a0c4ea5a3e842e776c084a1ffb0da9a702cbc989a1328829582164be01b66837d9b95568d18bb4f2357dca18566f685887df251ba9
-
Filesize
637KB
MD5ab657ee4352840849b7dd1d4d06eb8e3
SHA1929823d2e25a80b694d494ff74bd03f94ebb2d32
SHA256fea1afe9d96b11e423d2cb35aa28a0c1b0cfcc9236d8d2ff3fe0f2d10ca34c98
SHA512d870ddc3fcc47fbe14681b19eac9034a6709750dfb2c3b4565ae9f033b8460e18a1ea9d973c9b8d02965d185f8a9cdea437d0284bb7cbf3f66bd808d2f926c4b
-
Filesize
1.1MB
MD550aaf2a15f9eaf6fea3f224e026b84f8
SHA14ec8be6ddeb10b2798a639be88aa04665816a5a2
SHA2564ddf5bf789dd5256f58dccb68c1d0e9b809bc51fdb377af49393827c0b84d672
SHA512392eac224e5b6b451d1db7754360721a32f8075fc89aec0cad5a4e3b8a4c96de6d0d2a2db9c448b13c955fd2180f57d68774468ea49944ba50a6873da41ee7bf