2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
Size

292KB
MD5

b3574ad7351c0db4e2be4bfaea711991
SHA1

88f6c171d47c5727002e4dc13a0576b24f2294a7
SHA256

2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b
SHA512

a23eb2c3443f75ea9152d173a13e68bc13f9a4eeea1d0bc124ae7fa661651085ce5fb0826e81ed23122019280acdb89d1b2741b762ccc5a594665379e4453800
SSDEEP

3072:vh1BTKDPZ8y9nd9SIb40UXEfhEYbzPCTVZR3AWijGLMoaqD3:5Tw9UU5EYCTvaBjuT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\JPV2W5K\\TLR5E2K.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\JPV2W5K\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000233e8-142.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe

Executes dropped EXE 5 IoCs

pid	Process
1052	service.exe
1908	smss.exe
5076	system.exe
3292	winlogon.exe
4424	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
5076	system.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000233e8-142.dat	upx
behavioral2/memory/5076-308-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/5076-319-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0E2KWI = "C:\\Windows\\MOY6J8O.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sPV6J8O0 = "C:\\Windows\\system32\\VPO2V7QRWI0D1C.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Z:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	system.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	service.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\EDG6M5W.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe	lsass.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RWI0D1C.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\RWI0D1C.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	system.exe
File opened for modification	C:\Windows\JPV2W5K\smss.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\smss.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\JPV2W5K\smss.exe	system.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\smss.exe	lsass.exe
File opened for modification	C:\Windows\RWI0D1C.exe	lsass.exe
File opened for modification	C:\Windows\MOY6J8O.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K	system.exe
File opened for modification	C:\Windows\JPV2W5K\service.exe	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\regedit.cmd	smss.exe
File opened for modification	C:\Windows\JPV2W5K\TLR5E2K.exe	winlogon.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\JPV2W5K	service.exe
File opened for modification	C:\Windows\JPV2W5K\TLR5E2K.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\service.exe	system.exe
File opened for modification	C:\Windows\JPV2W5K\smss.exe	service.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	service.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\JPV2W5K\service.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\winlogon.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\service.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	smss.exe
File opened for modification	C:\Windows\JPV2W5K\system.exe	service.exe
File opened for modification	C:\Windows\JPV2W5K	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\lsass.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\TLR5E2K.exe	lsass.exe
File opened for modification	C:\Windows\JPV2W5K\TLR5E2K.exe	system.exe
File opened for modification	C:\Windows\JPV2W5K	lsass.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\JPV2W5K\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\RWI0D1C.exe	smss.exe
File opened for modification	C:\Windows\JPV2W5K\MYpIC.zip	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\system.exe	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\system.exe	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\TLR5E2K.exe	service.exe
File opened for modification	C:\Windows\JPV2W5K\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
File opened for modification	C:\Windows\JPV2W5K\JMI6M4G.com	lsass.exe
File opened for modification	C:\Windows\JPV2W5K	winlogon.exe
File opened for modification	C:\Windows\JPV2W5K\winlogon.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	5076	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
1052	service.exe
1908	smss.exe
3292	winlogon.exe
5076	system.exe
4424	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1052	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	88
PID 4564 wrote to memory of 1052	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	88
PID 4564 wrote to memory of 1052	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	88
PID 4564 wrote to memory of 1908	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	89
PID 4564 wrote to memory of 1908	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	89
PID 4564 wrote to memory of 1908	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	89
PID 4564 wrote to memory of 5076	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	90
PID 4564 wrote to memory of 5076	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	90
PID 4564 wrote to memory of 5076	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	90
PID 4564 wrote to memory of 3292	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	91
PID 4564 wrote to memory of 3292	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	91
PID 4564 wrote to memory of 3292	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	91
PID 4564 wrote to memory of 4424	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	92
PID 4564 wrote to memory of 4424	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	92
PID 4564 wrote to memory of 4424	4564	2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe	92

C:\Users\Admin\AppData\Local\Temp\2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
"C:\Users\Admin\AppData\Local\Temp\2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\JPV2W5K\service.exe
  "C:\Windows\JPV2W5K\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Windows\JPV2W5K\smss.exe
  "C:\Windows\JPV2W5K\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1908
- C:\Windows\JPV2W5K\system.exe
  "C:\Windows\JPV2W5K\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Windows\JPV2W5K\winlogon.exe
  "C:\Windows\JPV2W5K\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3292
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\JPV2W5K\JMI6M4G.com

Filesize
292KB

MD5
c46a7a2f413e33b0e0f4ae84ffc6be70

SHA1
a73e74ae3b4a58a40dc62e5a6ddc6d519369dfdc

SHA256
349267fb1d5886d70ea4ca3bceb2e2922c56fd88ddb3de302e4c48e56f251b5c

SHA512
61d10caf428254fc4721676234f8eee0ef3a066a365107dd4ab2916ee1935e03456e61293a8b3b8b5b80bc051015ccf6cfa5168e486fd53f3be177be2362de68

Download Submit
C:\Windows\JPV2W5K\TLR5E2K.exe

Filesize
292KB

MD5
c107c811d5d928fd7595d813b990b3a5

SHA1
ec8d2cb04c15f0800fad2be907c6ab64c60bd4e0

SHA256
8433df15dcead8409b16e9aee3a4314a9b61e0f73fb1c9dcc309767e570d562c

SHA512
7fc102f29beab77121c6b199fd242b014ad160ccab2c16bf1494ee26701ede8847f3c81ff5dd3881e314b1ec86223b30edcafd25a6aaea9a575b25f3d4edaecd

Download Submit
C:\Windows\JPV2W5K\TLR5E2K.exe

Filesize
292KB

MD5
36b1a0f7f997286a83979783efa5d6f9

SHA1
19592bb0faa3ada8c00a24152f78f65e29e7be6b

SHA256
a25a8abedd79bd519d3fa773085021c757470a1b6970e28384fa9686c26e08c3

SHA512
f8f64be79ad68b77a159c394af6f37765262c1cb3a58bf4c3eb85a35cb93a3f7216ec0690258ca91902a539ca34eb70a1bc9b0bc3db654df7a65ef110475538d

Download Submit
C:\Windows\JPV2W5K\regedit.cmd

Filesize
292KB

MD5
8c42d003132e8397ded9fc1748a43624

SHA1
4a0ad042e3e6c5c3ab6ceab51db0047f57b84f51

SHA256
4c3c6158549f8f0d07a19ecea7e806e474bb5f456570da1d337cebe8962477de

SHA512
1a098dc1bccdb8372fd039ba2eb6d14e514ed65a0ce51ee09e3b1d85ad39da91300a585853ea3e689e18112bbcec38656087da7d359d434d97d77ba543b0e001

Download Submit
C:\Windows\JPV2W5K\regedit.cmd

Filesize
292KB

MD5
ef59b9070a8c9a099901d33d05b388f1

SHA1
fdde1ece6f6793ae0e1c54c8c6e50d23ae00803a

SHA256
98abd73ce7c83116675802f35477d45839d1c0f3444e38c4d0a2a56c115f0ecf

SHA512
a53ea1ab5ed755e8d44ce0b010a1daa465887e9fc58ce17b4d0266a033ceae55111bf06f99235d2a01632d033b39cccebdecb59474c11e5f30174c3a872d9ed5

Download Submit
C:\Windows\JPV2W5K\regedit.cmd

Filesize
292KB

MD5
2a79cafb0a38b7f5a4d8f68bfba4a15f

SHA1
7683437c55d6c4450eba3b39d2d6e7e6f3696197

SHA256
c6ccd0def8f571982eb66fedbfbe31657f2f7a572ffd5c68c222a6a359f86eb8

SHA512
eb8643d2fcb6ccf1f10c9697264093e0510e5a8bdec79cab2a38088a3e64fd40c06300c96d40232b20c1e0e1052f20cfdc9cef8ee0b50cae73a8d7830c21566c

Download Submit
C:\Windows\JPV2W5K\service.exe

Filesize
292KB

MD5
2c8ad05eac588a3aa21847e2085d3b1e

SHA1
a8737be5d69c5290d0bbb58fde3e4636763662b7

SHA256
b6f17778d450276bc63fe78ca87ce4e1b078c2b60f6d888a27339fdf33bb208e

SHA512
fc55c46585d6a95cbc5c24a78eead90a510b2f93155d931ec91b59be77364e05fe22007e913ac15321722fd727fc3e613ffa77e9fa6bbd752102344d91185e87

Download Submit
C:\Windows\JPV2W5K\smss.exe

Filesize
292KB

MD5
6ec98340d66a10948733c126886281e5

SHA1
f1114d7306ca9abe5319918fecc4c55015bbb53b

SHA256
00509a322a7e6faa9239d720da2da9dd8a72148d4591ce6f2c9efa3d10b57fbb

SHA512
26177d0212d19d94b3db8ca42233ebf827bf311b9222decc1f29ae57f78fba9c0a1ecdebfea0d8ba572fb723f4765ee9c0d5acd28d99b7d155bb4f4368043706

Download Submit
C:\Windows\JPV2W5K\system.exe

Filesize
292KB

MD5
42894be34ff69f25819253ee6ab067bf

SHA1
9cf3ea7b72c389fcbc7eb11e014f05499c717abb

SHA256
fb48ec1656954269396c211d8f22a0ea8e817eabc8afca71f7d3692b87d5f71f

SHA512
88b457b0994df8261fa94821c87d504f9119c45e75f88dfc6f7bfb2feb758442d9e657307d698c4b87226f022657f00f6cc2bac0ad4f58edc6f1c027c5b0a713

Download Submit
C:\Windows\JPV2W5K\winlogon.exe

Filesize
292KB

MD5
b8113245090cb05c816c7f5d33afc2d9

SHA1
b6f9c4a99dc84e42031a2cc79b5cedeaf449b0b9

SHA256
9e8e7eb22494155f0083845ecc95f6ba73fe69ab5e6eda78ef8b0e4fd86bb79e

SHA512
e7f07c6328dfcef4c6370077546695ea6b3c470263b8f2684aa4dfe1cd37fc00a5bd8afa0cb11953dccd09dfc98feb173d8016c1fe00614c9d90e6ae8f3e788b

Download Submit
C:\Windows\MOY6J8O.exe

Filesize
292KB

MD5
47e3d86f40d2e7741365c92778ed9bf2

SHA1
96ff20a6212334352579c15694ec4a920327ff9f

SHA256
337c6e003b30340ad304358533cb4c182c07225372f9a28154d5d8cb5b000a8b

SHA512
f4031600c9f59f81036d5ab200d934c9843e6838a0ba103791deafdd2d5c451f6698380c2e55c78271b5fcabcc7432b9bfe79e1577dc8d2afa44973ffb932382

Download Submit
C:\Windows\RWI0D1C.exe

Filesize
292KB

MD5
cd48f904d8db40e3b47486b813af8ef6

SHA1
ace6c05c72f0fe3d008068451c0037a5f8b7f54d

SHA256
67f078cad836f609089135d185a98369d3c55cc489069b8628172b741b84bf17

SHA512
f81720125d68b7b451e00c601458ccfd3cd7ec1fe9c064cfb2be48645f97ff15d54ea34a50991ba7cb8598100b1a86b309ce32d9aa5a0ea68f2fea5d7b18b647

Download Submit
C:\Windows\SysWOW64\NFG6J7T\VPO2V7Q.cmd

Filesize
292KB

MD5
178663be8cc4ddad60fa2010d762f6b7

SHA1
2501e35e24ebd3e7658b9306206e8495b5472390

SHA256
80046e07e9cfdf986ee2fc0ffe446e508d23152b6ac55015f0eb5ff4036c494c

SHA512
dc9b4179b4643099bf70adacaa2867517a8733816021e6ef5dcde0eb88e7dfbc6d0d03c2e69d27f6de43aae934c29bc6ae1fd39dedbea53361bef47af5bc568e

Download Submit
C:\Windows\SysWOW64\VPO2V7QRWI0D1C.exe

Filesize
292KB

MD5
2321a92d4a91cc889e3a5fe684a6f4b1

SHA1
9a56bb3346fc1ccdfe66fa9f93232e455e3294e7

SHA256
39245065c5321b8953c49237e77d602d597aefe2c06b5c238a908637ac95f79b

SHA512
2fe6e8916a51dd8081a55de0a4388a7be50f0406998e3ed5a06c848816a58b1c07b0d3c457fd4532480e2902253fd55c3004a49f91a56125204b3ba2a0a8df77

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
53fc5e49df2ffae628f5663659e11563

SHA1
4d48d2a0ad0f95b1c3f15ffb7433a8a6fccbe7fa

SHA256
438eb0b44646e406514e7df51db05c3c1b96b9aaf773f8294c2c3467c05aae5a

SHA512
f809acb020839493bfa81e4d4b8706a7a3c295b87eb09df71870ee3eaccb5a473cdf32c336f7c0b2d840799c99fe6e91bec73868c76f7530f5881d48f1b9b036

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
ef77249bd67adbdd9e84de8d438a5800

SHA1
ffd9b07252c2032eff65c8cc8d7443d4f37ec69b

SHA256
29e5b21dcfe189e81158a8e65893f8b198699883285fecaf28b4eeff292a0102

SHA512
00ff41db0cb3e636c5d58047a8e00058e5ab393670871cf09fc247ca8cd4a3f378ba410c432d1f26e853b602c6fba9ad41ea65e5ce6b40ffdb5a658738171b24

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
c5c7392dc94c13ef23f98cb3729bf711

SHA1
404d820f4b62462eb932275e3b58a1be42896e7c

SHA256
b73e8cf25db9683d28cca18b3db91fefa1f8c1f6c06bcb0ff1855c9ca3e498f3

SHA512
7153bfab3578b60732b0f86fef10bbb722e978124b1d71c58373e8dfbf3a989983314ab63b40ef99722c42d12da2a28955c770d0f1223993145fd9246ff0cc43

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
e311ef4df4009a9926e9d774568ad810

SHA1
8b546b1b626a28a4b117359065e43d5217cb9cfe

SHA256
dba59c4d0417da694c70255a4741b94c92bd6206b932870b4d1b8eefe7fbd9b8

SHA512
597399a7c5cb4b34de5ce070ccd2c2684bb601dded6456eb0bbd7a0cd13d0d4cefbbdc3a9a445840f033a49ec2554c46764535e115897623476ab6be64a89452

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
45c87e723ef890963a244048007fafab

SHA1
724b8494460f10a8be3773aca69a904b1f9f6054

SHA256
1112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e

SHA512
2fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727

Download Submit
C:\Windows\lsass.exe

Filesize
292KB

MD5
5c946509a8b4d85f5cb0889f3d447fa8

SHA1
3a9647f078ab8eb7a06789c219a3f6ae074e0628

SHA256
784523d9e84f2a9184f1714e47fcc83b2604ccd6cdbfce96d5ddae2ed223b46a

SHA512
9080818209289d1b78ef477f59dc42316386d1369501fde17143ebf84f5ac79836a08531f9e7e9cbbda1e30984cc5ee0c5e318b1ba43d3afd16430816f4f0279

Download Submit
C:\Windows\lsass.exe

Filesize
292KB

MD5
ea97538e4fc1d36402ce49ca18d23003

SHA1
a20878d13efd4ac200b2e1350b73422973d40701

SHA256
83807124ffa2a7f9f705aafe9b15344ac0cd2191159b0928f230cdd32649b615

SHA512
3084aec8175a7e8f5289993f9e0fe992c059f6a4acc32cc7d3c896b924dbabd3a9c6f208fa2cce52200b74d3516f216058b7f6a03079db504c9a530a0bb64d0b

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
1f7ae8bd1269304b9677a1e8b458c273

SHA1
914c035fcd8fc2d26276175240326923e439a2d8

SHA256
a0971629b884006036919ac4d076303a24ae0fff9e0d5d22f3e309f344bc5cc9

SHA512
c298313cf76eb5db48de59025e60f02eccbb48d7cf1d71c71facbb97fb0112ccab129adfb80db6e23d3c7e50a530d554c25ff4c01555dc217b9e01bc078d6c99

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
9a9f3b124d45dc37a7f7ea0d56a2ce77

SHA1
0040ee250be20db1c54f20538422950f967a999c

SHA256
18109fcda7b887d3462aea4c31baf1772ae0926ff1b13835f9ad7c24c3225b32

SHA512
b20973d37eb109537c5889f8deb5b0da3ff3d89d11e2ce8bad0ed7b8627a539e22f9579c8913e51f24891892be9aff62b4ba99b9f51de717136c565aa21e4eaa

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
69adeac97dcfa2b99cd8cc3522021dfa

SHA1
4de0f0861805342f2c68d7b262c07f85446acc42

SHA256
181bf2a0eefd2f8af7d0b22dbb759d18648744b010bbcd470136d485b61bd152

SHA512
159c35ddce1ee182b0122d5822a04164c3f8116a862bd7874266c7d4d70fa889d7b2b6680a9b1dc3507e1ebe7778806b89f51ecb184e39c641f8cb84dd3c711f

Download Submit
memory/5076-308-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/5076-319-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads