Analysis
-
max time kernel
75s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2024, 03:15
Static task
static1
Behavioral task
behavioral1
Sample
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe
Resource
win7-20240215-en
Errors
General
-
Target
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe
-
Size
9.1MB
-
MD5
19beac0f25da3868810921f25e10bd47
-
SHA1
57a8a3df66829a38c171acce3f3d3fa6b601cf12
-
SHA256
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f
-
SHA512
824d5eaff1fa09d1038fd33645a9ecd4541e84ba59aebbbd5d7d25e0c503bbd489ac5ed899e9b0f02e1914072ccc322e0097e63ebe895baba86512f7b32d5e83
-
SSDEEP
196608:hyEbJ8kKU1qXmuNXCf9CeBlXXuWEA1HaugJKvgabfT8z//QTDQsN99x:hbK8qWf9CeXXeWVYKoabfT6QT0sT9x
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral2/memory/116-135-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/116-134-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/116-138-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/116-139-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/1576-166-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/1576-167-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/1832-190-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/1832-188-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/3636-205-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral2/memory/3636-206-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023ba4-9.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation winos.exe -
Executes dropped EXE 54 IoCs
pid Process 3108 winos.exe 2456 kpzs.exe 3148 kpzs.exe 4976 kpzs.exe 4984 kpzs.exe 3956 EPEvenue_SB.exe 116 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 1576 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1832 EPEvenue_SB.exe 2636 EPEvenue_SB.exe 3636 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 3692 EPEvenue_SB.exe 3828 EPEvenue_SB.exe 4276 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 2596 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 3948 EPEvenue_SB.exe 4532 EPEvenue_SB.exe 3248 EPEvenue_SB.exe 1780 EPEvenue_SB.exe 4184 EPEvenue_SB.exe 628 EPEvenue_SB.exe 3696 EPEvenue_SB.exe 2692 EPEvenue_SB.exe 3644 EPEvenue_SB.exe 4280 EPEvenue_SB.exe 3128 EPEvenue_SB.exe 2632 EPEvenue_SB.exe 2996 EPEvenue_SB.exe 1612 EPEvenue_SB.exe 4576 EPEvenue_SB.exe 3408 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 2276 EPEvenue_SB.exe 2560 EPEvenue_SB.exe 2572 EPEvenue_SB.exe 2460 EPEvenue_SB.exe 1504 EPEvenue_SB.exe 632 EPEvenue_SB.exe 3468 EPEvenue_SB.exe 1352 EPEvenue_SB.exe 1308 EPEvenue_SB.exe 2692 EPEvenue_SB.exe 2552 EPEvenue_SB.exe 1048 EPEvenue_SB.exe 3564 EPEvenue_SB.exe 2420 EPEvenue_SB.exe 3616 EPEvenue_SB.exe 4896 EPEvenue_SB.exe 1808 EPEvenue_SB.exe -
Loads dropped DLL 64 IoCs
pid Process 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 2456 kpzs.exe 2456 kpzs.exe 2456 kpzs.exe 3148 kpzs.exe 3148 kpzs.exe 4976 kpzs.exe 4976 kpzs.exe 4984 kpzs.exe 4984 kpzs.exe 3956 EPEvenue_SB.exe 3956 EPEvenue_SB.exe 3956 EPEvenue_SB.exe 3956 EPEvenue_SB.exe 3956 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 2496 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 2636 EPEvenue_SB.exe 2636 EPEvenue_SB.exe 2636 EPEvenue_SB.exe 2636 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 4780 EPEvenue_SB.exe 3828 EPEvenue_SB.exe 3828 EPEvenue_SB.exe 3828 EPEvenue_SB.exe 3828 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 4864 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe 1676 EPEvenue_SB.exe -
resource yara_rule behavioral2/files/0x000a000000023ba4-9.dat upx behavioral2/memory/3372-12-0x0000000074FF0000-0x00000000750AC000-memory.dmp upx behavioral2/memory/116-135-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/116-134-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/116-132-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/116-138-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/116-139-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/1576-166-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/1576-167-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/1832-190-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/1832-188-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/3636-205-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral2/memory/3636-206-0x0000000010000000-0x000000001018F000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 23 IoCs
description pid Process procid_target PID 3956 set thread context of 116 3956 EPEvenue_SB.exe 98 PID 1628 set thread context of 1832 1628 EPEvenue_SB.exe 102 PID 2636 set thread context of 3636 2636 EPEvenue_SB.exe 104 PID 4780 set thread context of 3692 4780 EPEvenue_SB.exe 106 PID 3828 set thread context of 4276 3828 EPEvenue_SB.exe 112 PID 4864 set thread context of 2596 4864 EPEvenue_SB.exe 114 PID 1676 set thread context of 3948 1676 EPEvenue_SB.exe 117 PID 4532 set thread context of 3248 4532 EPEvenue_SB.exe 120 PID 1780 set thread context of 4184 1780 EPEvenue_SB.exe 122 PID 628 set thread context of 3696 628 EPEvenue_SB.exe 124 PID 2692 set thread context of 3644 2692 EPEvenue_SB.exe 126 PID 4280 set thread context of 3128 4280 EPEvenue_SB.exe 128 PID 2632 set thread context of 2996 2632 EPEvenue_SB.exe 130 PID 1612 set thread context of 4576 1612 EPEvenue_SB.exe 132 PID 3408 set thread context of 4864 3408 EPEvenue_SB.exe 134 PID 2276 set thread context of 2560 2276 EPEvenue_SB.exe 136 PID 2572 set thread context of 2460 2572 EPEvenue_SB.exe 138 PID 1504 set thread context of 632 1504 EPEvenue_SB.exe 140 PID 3468 set thread context of 1352 3468 EPEvenue_SB.exe 142 PID 1308 set thread context of 2692 1308 EPEvenue_SB.exe 146 PID 2552 set thread context of 1048 2552 EPEvenue_SB.exe 148 PID 3564 set thread context of 2420 3564 EPEvenue_SB.exe 150 PID 3616 set thread context of 4896 3616 EPEvenue_SB.exe 152 -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\12\12345678.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\DuiLib.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\kpzs.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\msvcp100.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\rtl70.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\vcl70.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\winos.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\CefControl.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\EPEvenue_SB.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\libcef.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\msvcr100.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\XPFarmer.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3372 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe 3108 winos.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 116 EPEvenue_SB.exe Token: SeDebugPrivilege 1576 EPEvenue_SB.exe Token: SeDebugPrivilege 1832 EPEvenue_SB.exe Token: SeDebugPrivilege 3636 EPEvenue_SB.exe Token: SeDebugPrivilege 3692 EPEvenue_SB.exe Token: SeDebugPrivilege 4276 EPEvenue_SB.exe Token: SeDebugPrivilege 2596 EPEvenue_SB.exe Token: SeDebugPrivilege 3948 EPEvenue_SB.exe Token: SeDebugPrivilege 3248 EPEvenue_SB.exe Token: SeDebugPrivilege 4184 EPEvenue_SB.exe Token: SeDebugPrivilege 3696 EPEvenue_SB.exe Token: SeDebugPrivilege 3644 EPEvenue_SB.exe Token: SeDebugPrivilege 3128 EPEvenue_SB.exe Token: SeDebugPrivilege 2996 EPEvenue_SB.exe Token: SeDebugPrivilege 4576 EPEvenue_SB.exe Token: SeDebugPrivilege 4864 EPEvenue_SB.exe Token: SeDebugPrivilege 2560 EPEvenue_SB.exe Token: SeDebugPrivilege 2460 EPEvenue_SB.exe Token: SeDebugPrivilege 632 EPEvenue_SB.exe Token: SeDebugPrivilege 1352 EPEvenue_SB.exe Token: SeDebugPrivilege 2692 EPEvenue_SB.exe Token: SeDebugPrivilege 1048 EPEvenue_SB.exe Token: SeDebugPrivilege 2420 EPEvenue_SB.exe Token: SeDebugPrivilege 4896 EPEvenue_SB.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3108 winos.exe 2456 kpzs.exe 3148 kpzs.exe 4976 kpzs.exe 4984 kpzs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2456 3108 winos.exe 91 PID 3108 wrote to memory of 2456 3108 winos.exe 91 PID 3108 wrote to memory of 2456 3108 winos.exe 91 PID 3108 wrote to memory of 4976 3108 winos.exe 95 PID 3108 wrote to memory of 4976 3108 winos.exe 95 PID 3108 wrote to memory of 4976 3108 winos.exe 95 PID 3108 wrote to memory of 3956 3108 winos.exe 97 PID 3108 wrote to memory of 3956 3108 winos.exe 97 PID 3108 wrote to memory of 3956 3108 winos.exe 97 PID 3956 wrote to memory of 116 3956 EPEvenue_SB.exe 98 PID 3956 wrote to memory of 116 3956 EPEvenue_SB.exe 98 PID 3956 wrote to memory of 116 3956 EPEvenue_SB.exe 98 PID 3956 wrote to memory of 116 3956 EPEvenue_SB.exe 98 PID 3956 wrote to memory of 116 3956 EPEvenue_SB.exe 98 PID 3108 wrote to memory of 2496 3108 winos.exe 99 PID 3108 wrote to memory of 2496 3108 winos.exe 99 PID 3108 wrote to memory of 2496 3108 winos.exe 99 PID 3108 wrote to memory of 1628 3108 winos.exe 101 PID 3108 wrote to memory of 1628 3108 winos.exe 101 PID 3108 wrote to memory of 1628 3108 winos.exe 101 PID 1628 wrote to memory of 1832 1628 EPEvenue_SB.exe 102 PID 1628 wrote to memory of 1832 1628 EPEvenue_SB.exe 102 PID 1628 wrote to memory of 1832 1628 EPEvenue_SB.exe 102 PID 1628 wrote to memory of 1832 1628 EPEvenue_SB.exe 102 PID 1628 wrote to memory of 1832 1628 EPEvenue_SB.exe 102 PID 3108 wrote to memory of 2636 3108 winos.exe 103 PID 3108 wrote to memory of 2636 3108 winos.exe 103 PID 3108 wrote to memory of 2636 3108 winos.exe 103 PID 2636 wrote to memory of 3636 2636 EPEvenue_SB.exe 104 PID 2636 wrote to memory of 3636 2636 EPEvenue_SB.exe 104 PID 2636 wrote to memory of 3636 2636 EPEvenue_SB.exe 104 PID 2636 wrote to memory of 3636 2636 EPEvenue_SB.exe 104 PID 2636 wrote to memory of 3636 2636 EPEvenue_SB.exe 104 PID 3108 wrote to memory of 4780 3108 winos.exe 105 PID 3108 wrote to memory of 4780 3108 winos.exe 105 PID 3108 wrote to memory of 4780 3108 winos.exe 105 PID 4780 wrote to memory of 3692 4780 EPEvenue_SB.exe 106 PID 4780 wrote to memory of 3692 4780 EPEvenue_SB.exe 106 PID 4780 wrote to memory of 3692 4780 EPEvenue_SB.exe 106 PID 4780 wrote to memory of 3692 4780 EPEvenue_SB.exe 106 PID 4780 wrote to memory of 3692 4780 EPEvenue_SB.exe 106 PID 3108 wrote to memory of 3828 3108 winos.exe 111 PID 3108 wrote to memory of 3828 3108 winos.exe 111 PID 3108 wrote to memory of 3828 3108 winos.exe 111 PID 3828 wrote to memory of 4276 3828 EPEvenue_SB.exe 112 PID 3828 wrote to memory of 4276 3828 EPEvenue_SB.exe 112 PID 3828 wrote to memory of 4276 3828 EPEvenue_SB.exe 112 PID 3828 wrote to memory of 4276 3828 EPEvenue_SB.exe 112 PID 3828 wrote to memory of 4276 3828 EPEvenue_SB.exe 112 PID 3108 wrote to memory of 4864 3108 winos.exe 113 PID 3108 wrote to memory of 4864 3108 winos.exe 113 PID 3108 wrote to memory of 4864 3108 winos.exe 113 PID 4864 wrote to memory of 2596 4864 EPEvenue_SB.exe 114 PID 4864 wrote to memory of 2596 4864 EPEvenue_SB.exe 114 PID 4864 wrote to memory of 2596 4864 EPEvenue_SB.exe 114 PID 4864 wrote to memory of 2596 4864 EPEvenue_SB.exe 114 PID 4864 wrote to memory of 2596 4864 EPEvenue_SB.exe 114 PID 3108 wrote to memory of 1676 3108 winos.exe 116 PID 3108 wrote to memory of 1676 3108 winos.exe 116 PID 3108 wrote to memory of 1676 3108 winos.exe 116 PID 1676 wrote to memory of 3948 1676 EPEvenue_SB.exe 117 PID 1676 wrote to memory of 3948 1676 EPEvenue_SB.exe 117 PID 1676 wrote to memory of 3948 1676 EPEvenue_SB.exe 117 PID 1676 wrote to memory of 3948 1676 EPEvenue_SB.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
C:\Program Files (x86)\12\winos.exe"C:\Program Files (x86)\12\winos.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4976
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1780 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:628 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2692 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4280 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2632 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3408 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2276 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2572 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1504 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3468 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1308 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2552 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3564 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3616 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
PID:1808
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding1⤵PID:392
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\E159133B47AF49b39C538B.lnk"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3148
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\0C045E8D0D3842bfA5D217.lnk"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD5e027843c3e66ddd0b8cebbaf027497b1
SHA151671beb478ffcbb99fee5d34cb030efb44fe1b7
SHA25609fea0e5f7b57b9ce700d52bc1ed58d3336eb7a9e04ceefd1b5246e4a3bc4c24
SHA512fff8b36c2b5a1d4dadc0995d91b70317ce83de9c7f36613d64d9dbee1fe1293b8e8469b2f4239584e005675049f6eb67b4a04edc03247731b9b0f3fe45097e85
-
Filesize
590KB
MD5037d4ae83b30c3ba8f7f23e54a168bb2
SHA105a291f0397928c30d5b8fd4980c9ffb0472a4e7
SHA2562422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4
SHA512fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4
-
Filesize
2.2MB
MD5cbfc4a8bc75a556dd97981531fadd751
SHA125e8eccb28e804db23d1d5123f3766d29b99294f
SHA2564640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676
SHA5123b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c
-
Filesize
1.1MB
MD54ddce14e5c6c09bbe5154167a74d271e
SHA13985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA25637865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
1.5MB
MD5b6b5969b658b647fa0c6ec11de139c96
SHA187b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA51228b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842
-
Filesize
72KB
MD53ffb2d1b619bd7841df50aaf619922fd
SHA16973d1b9f33ceb741569db9d0d1fa06712a2565e
SHA2568ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe
SHA5127855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da
-
Filesize
3.1MB
MD5e7a550ef58c53720969017f4b739c967
SHA182cbe82ca632c2fcb3cd2f280593462ddb9fc708
SHA2565fb627f9bd0621f097fc51be7d22373ead7afafbeacbed584fea07d0cf38a000
SHA512d583ad302fc6f9db08ec08dfeca8c4d48619903e41e8024178a2195dfc508d9a057cdd25dcc6cf2d0fd688916ec7fc1c276ae1978e0b81293907801633508704
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
1.4MB
MD599b6a3a2b79d83857bd5129124592f8c
SHA1e627d960ab29f7003ac0ea15e098bf5ada37ed3d
SHA256d4876325de6084019f844d69b34079716746a5e52585b74bbb366d0152f0313d
SHA5127e02a0eacf25cbfa3b685821b8cf697a6b2b125b6067337a7def18b58e7da6c216d396aefee1928c667900915ee0ee3a616e80985b77632c47f964899d835e1c
-
Filesize
1.3MB
MD516a1c27ed415d1816f8888ea2cefb3f6
SHA180db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA51268a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306
-
Filesize
5.2MB
MD5dfff7fdeb342305504b35b2261eab611
SHA1000f37471c5cf6d245848368d3eec4c1a21b624e
SHA2562df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246
SHA512588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8
-
Filesize
2KB
MD533ec04738007e665059cf40bc0f0c22b
SHA14196759a922e333d9b17bda5369f14c33cd5e3bc
SHA25650f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA5122318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD5e38d8ff9f749ee1b141a122fec7280e0
SHA1fbc8e410ef716fdb36977e5c16d3373a6100189a
SHA25600f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4
SHA5122b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f
-
Filesize
288KB
MD51e88afb7fe5b58d09d8a1b631e442538
SHA19ddb655cb32d002f68bdee962ce917002faa3614
SHA25621a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708
SHA512a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876
-
Filesize
4KB
MD588d3e48d1c1a051c702d47046ade7b4c
SHA18fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA25651da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA51283299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7
-
Filesize
344KB
MD5bf53c6eaf4dfb9ecc11afba92e0a3c9a
SHA1cacbaa3c4dc7a0d0cc365f746e468a3013473063
SHA256727877e75ee79f940288f0c086e78ff3beae1c6c04894eb7350bdd02d7983139
SHA512affb46fefbcea4278e82e34206aaa7afbf1b394d9e7c2708ce8cd67a68c122a9978496c24dd1d1b5db175096ddb6aecf151df7c04be41a6847708ba70fbc611e