hijackloader | 593c83930d6f0ca5e300b1728ed0a793d71ade9bbf3ab5ca6a4c38769c093a36

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AppDFSetup.exe
Size

150.3MB
MD5

0305c6040f60b15e78555fecdde6ddc0
SHA1

07c58215f029201b49f6b34dc911a33904a5e9c1
SHA256

74df5721e20c4ce87a8f7a3f512baa8c201bb095615a81c9581ee15cc50b1afb
SHA512

78c18013c90a766226311163c38697f78335d15798289349612ec2fc503c538cc8fa96da65321ffc1ba0fcb94690d0fd0663fc20357a41aef20bc090ac1acaa3
SSDEEP

1572864:DlAhthKM29V6LLWANUB9IinJn1cpGN4vM+JlhrZnQ9I4FdUrczKrk4Ze2OC2+:wtSD64Jnqrt5v2

Score

10^/10

hijackloader stealc loader stealer

Malware Config

Extracted

Family

stealc

http://89.105.198.116

Attributes

url_path
/192e1934359966f8.php

Signatures

Detects HijackLoader (aka IDAT Loader) 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1144-89-0x0000000000400000-0x0000000000692000-memory.dmp	family_hijackloader
behavioral12/memory/1144-91-0x0000000000400000-0x0000000000692000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppDFSetup.exeAppDFSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	AppDFSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	AppDFSetup.exe

Executes dropped EXE 1 IoCs

Processes:

c87269f923a0b2731e0669ba9db53e0b.exe

pid process

1144 c87269f923a0b2731e0669ba9db53e0b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

c87269f923a0b2731e0669ba9db53e0b.exe

description pid process target process

PID 1144 set thread context of 3576 1144 c87269f923a0b2731e0669ba9db53e0b.exe cmd.exe

pid	process
1144	c87269f923a0b2731e0669ba9db53e0b.exe

description	pid	process	target process
PID 1144 set thread context of 3576	1144	c87269f923a0b2731e0669ba9db53e0b.exe	cmd.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AppDFSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	AppDFSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AppDFSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AppDFSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	AppDFSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	AppDFSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	AppDFSetup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c87269f923a0b2731e0669ba9db53e0b.exeAppDFSetup.execmd.exe

pid process

1144 c87269f923a0b2731e0669ba9db53e0b.exe
1144 c87269f923a0b2731e0669ba9db53e0b.exe
3340 AppDFSetup.exe
3340 AppDFSetup.exe
3576 cmd.exe
3576 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c87269f923a0b2731e0669ba9db53e0b.execmd.exe

pid process

1144 c87269f923a0b2731e0669ba9db53e0b.exe
3576 cmd.exe

pid	process
1144	c87269f923a0b2731e0669ba9db53e0b.exe
1144	c87269f923a0b2731e0669ba9db53e0b.exe
3340	AppDFSetup.exe
3340	AppDFSetup.exe
3576	cmd.exe
3576	cmd.exe

pid	process
1144	c87269f923a0b2731e0669ba9db53e0b.exe
3576	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppDFSetup.exe

description	pid	process
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe
Token: SeShutdownPrivilege	3336	AppDFSetup.exe
Token: SeCreatePagefilePrivilege	3336	AppDFSetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c87269f923a0b2731e0669ba9db53e0b.exe

pid process

1144 c87269f923a0b2731e0669ba9db53e0b.exe
1144 c87269f923a0b2731e0669ba9db53e0b.exe

pid	process
1144	c87269f923a0b2731e0669ba9db53e0b.exe
1144	c87269f923a0b2731e0669ba9db53e0b.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

AppDFSetup.exeAppDFSetup.exec87269f923a0b2731e0669ba9db53e0b.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 228	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 4496	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 4496	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 3320	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 3320	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3320 wrote to memory of 1144	3320	AppDFSetup.exe	c87269f923a0b2731e0669ba9db53e0b.exe
PID 3320 wrote to memory of 1144	3320	AppDFSetup.exe	c87269f923a0b2731e0669ba9db53e0b.exe
PID 3320 wrote to memory of 1144	3320	AppDFSetup.exe	c87269f923a0b2731e0669ba9db53e0b.exe
PID 1144 wrote to memory of 3576	1144	c87269f923a0b2731e0669ba9db53e0b.exe	cmd.exe
PID 1144 wrote to memory of 3576	1144	c87269f923a0b2731e0669ba9db53e0b.exe	cmd.exe
PID 1144 wrote to memory of 3576	1144	c87269f923a0b2731e0669ba9db53e0b.exe	cmd.exe
PID 3336 wrote to memory of 3340	3336	AppDFSetup.exe	AppDFSetup.exe
PID 3336 wrote to memory of 3340	3336	AppDFSetup.exe	AppDFSetup.exe
PID 1144 wrote to memory of 3576	1144	c87269f923a0b2731e0669ba9db53e0b.exe	cmd.exe
PID 3576 wrote to memory of 2456	3576	cmd.exe	explorer.exe
PID 3576 wrote to memory of 2456	3576	cmd.exe	explorer.exe
PID 3576 wrote to memory of 2456	3576	cmd.exe	explorer.exe
PID 3576 wrote to memory of 2456	3576	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\AppDFSetup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1768,i,16743915325702977301,16861475606552588281,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\AppDFSetup" --mojo-platform-channel-handle=2096 --field-trial-handle=1768,i,16743915325702977301,16861475606552588281,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\AppDFSetup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2440 --field-trial-handle=1768,i,16743915325702977301,16861475606552588281,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\c87269f923a0b2731e0669ba9db53e0b.exe
C:\Users\Admin\AppData\Local\Temp\c87269f923a0b2731e0669ba9db53e0b.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AppDFSetup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\AppDFSetup" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3668 --field-trial-handle=1768,i,16743915325702977301,16861475606552588281,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7220b4f9
Filesize
861KB

MD5
76b37c104e8d74da25672b7d4769e535

SHA1
9571345965b9a29c14727d4d7299de078219ecdf

SHA256
1a5eb8b8c583e03ce3f91be3859cc41d4f001a598f5bd4828bdf1df54db1aeec

SHA512
4ff48c53490c448cac4ee787984dd08faeda1d56a73d044acd924fcdd353315e3afe9aba9832e918ed9b2936eb1be88e8db028f4e597193f2c6d795ab8426cfd

Download Submit
C:\Users\Admin\AppData\Roaming\AppDFSetup\Network\Network Persistent State
Filesize
391B

MD5
bbe59a80323839cf3649b086bce642e7

SHA1
62748a5a4c041c6e308bcb291ec48ff534489ad4

SHA256
ce01a195fa6a53a9d0cb9cf8227efe777a1e6f34405df65038389920398c00ba

SHA512
5f0823a6ea4e5140a352cb5f88a7f92c2a8893cf98d23afd9a6a4d01b58c7586a1f31b32b5cd80c3e5d45c0b2b6772397230506271d408b0a233562834d30513

Download Submit
C:\Users\Admin\AppData\Roaming\AppDFSetup\Network\Network Persistent State~RFe58774e.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\AppDFSetup\Network\TransportSecurity
Filesize
203B

MD5
b5882968c8d0dce60bd05c02b3d73add

SHA1
65b3ee2b53997dba3a5fc8342b153c48de058df7

SHA256
52b7d07be7256c6ff109769b0b399882dd22f33cc62c13ffedb502269b68a9e1

SHA512
2db772221eed8635aa4c10f82bb6738f6ee86fded3b78bdaef429a330f8ee2a4347d5e53acc97de50376b8d0c514075708966040a51ab089029dc6937f48357f

Download Submit
C:\Users\Admin\AppData\Roaming\AppDFSetup\Network\TransportSecurity~RFe5901ac.TMP
Filesize
203B

MD5
ac60f5ec88eb867b42146da9e2d8f707

SHA1
3f449015b49edfc1c5faca3a4074b4eaf2e697e4

SHA256
65da9209bf23c2b88a51d512232891ec28247d58b342673eb7c4daad4e6bef8c

SHA512
ee66f904b7789e7d91e2cba628dcf78417030d66efa9678c5a120532d253b12ce579d10160c0a9156926a996cf003c810981c142fbbd14e58fc8db6e485563d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/228-2-0x00007FFF993D0000-0x00007FFF993D1000-memory.dmp

Filesize
4KB

Download
memory/1144-89-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/1144-92-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download
memory/1144-93-0x00007FFF99DD0000-0x00007FFF99FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1144-91-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/1144-109-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download
memory/2456-116-0x00007FFF99DD0000-0x00007FFF99FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2456-115-0x0000000000520000-0x000000000075C000-memory.dmp

Filesize
2.2MB

Download
memory/3340-95-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-105-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-104-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-103-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-102-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-101-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-106-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-100-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-96-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3340-94-0x0000014089430000-0x0000014089431000-memory.dmp

Filesize
4KB

Download
memory/3576-112-0x00007FFF99DD0000-0x00007FFF99FC5000-memory.dmp

Filesize
2.0MB

Download
memory/3576-113-0x0000000074650000-0x00000000747CB000-memory.dmp

Filesize
1.5MB

Download