a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Size

170KB
MD5

2a071d9edcc27561b9ec1452d10e9fc2
SHA1

672abe339f15396dd1fcf5691b4163e352a1bb22
SHA256

a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b
SHA512

63f54e739782d08ec8d512af61c169411d8aad4cd1fb9b170f9b000812beab39f79c7bdb688f314ce6b5e495cea252aceded65def2e37f772ccb362bc126f4e3
SSDEEP

3072:tJpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Uj:DAm5oh63laEo+pXX1pkF8mxeq5+4m71X

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2640	ntinit32.exe
2536	ntinit32.exe
2436	ntinit32.exe
2872	ntinit32.exe
2156	ntinit32.exe
304	sppcomapi.exe

Loads dropped DLL 9 IoCs

pid	Process
2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
2536	ntinit32.exe
2640	ntinit32.exe
2640	ntinit32.exe
2156	ntinit32.exe
2156	ntinit32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
File opened (read-only)	\??\j:	ntinit32.exe
File opened (read-only)	\??\j:	sppcomapi.exe
File opened (read-only)	\??\q:	ntinit32.exe
File opened (read-only)	\??\z:	ntinit32.exe
File opened (read-only)	\??\M:	ntinit32.exe
File opened (read-only)	\??\R:	sppcomapi.exe
File opened (read-only)	\??\T:	sppcomapi.exe
File opened (read-only)	\??\s:	ntinit32.exe
File opened (read-only)	\??\M:	ntinit32.exe
File opened (read-only)	\??\P:	ntinit32.exe
File opened (read-only)	\??\Z:	ntinit32.exe
File opened (read-only)	\??\N:	ntinit32.exe
File opened (read-only)	\??\X:	ntinit32.exe
File opened (read-only)	\??\y:	ntinit32.exe
File opened (read-only)	\??\v:	sppcomapi.exe
File opened (read-only)	\??\M:	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
File opened (read-only)	\??\A:	ntinit32.exe
File opened (read-only)	\??\P:	ntinit32.exe
File opened (read-only)	\??\G:	ntinit32.exe
File opened (read-only)	\??\Q:	ntinit32.exe
File opened (read-only)	\??\J:	ntinit32.exe
File opened (read-only)	\??\I:	ntinit32.exe
File opened (read-only)	\??\i:	ntinit32.exe
File opened (read-only)	\??\m:	ntinit32.exe
File opened (read-only)	\??\v:	ntinit32.exe
File opened (read-only)	\??\A:	ntinit32.exe
File opened (read-only)	\??\X:	sppcomapi.exe
File opened (read-only)	\??\L:	ntinit32.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\S:	ntinit32.exe
File opened (read-only)	\??\n:	ntinit32.exe
File opened (read-only)	\??\l:	ntinit32.exe
File opened (read-only)	\??\O:	ntinit32.exe
File opened (read-only)	\??\t:	ntinit32.exe
File opened (read-only)	\??\A:	ntinit32.exe
File opened (read-only)	\??\a:	sppcomapi.exe
File opened (read-only)	\??\t:	sppcomapi.exe
File opened (read-only)	\??\S:	ntinit32.exe
File opened (read-only)	\??\B:	ntinit32.exe
File opened (read-only)	\??\J:	ntinit32.exe
File opened (read-only)	\??\N:	sppcomapi.exe
File opened (read-only)	\??\V:	sppcomapi.exe
File opened (read-only)	\??\X:	ntinit32.exe
File opened (read-only)	\??\w:	ntinit32.exe
File opened (read-only)	\??\z:	sppcomapi.exe
File opened (read-only)	\??\W:	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\R:	ntinit32.exe
File opened (read-only)	\??\G:	sppcomapi.exe
File opened (read-only)	\??\J:	sppcomapi.exe
File opened (read-only)	\??\Z:	ntinit32.exe
File opened (read-only)	\??\H:	sppcomapi.exe
File opened (read-only)	\??\P:	sppcomapi.exe
File opened (read-only)	\??\Q:	sppcomapi.exe
File opened (read-only)	\??\q:	ntinit32.exe
File opened (read-only)	\??\Z:	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
File opened (read-only)	\??\W:	ntinit32.exe
File opened (read-only)	\??\s:	sppcomapi.exe
File opened (read-only)	\??\J:	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
File opened (read-only)	\??\K:	ntinit32.exe
File opened (read-only)	\??\k:	ntinit32.exe
File opened (read-only)	\??\i:	sppcomapi.exe
File opened (read-only)	\??\x:	ntinit32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ntinit32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ntinit32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	sppcomapi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sppcomapi.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6WPCXESV.txt	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6WPCXESV.txt	sppcomapi.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\461RRYH8.txt	sppcomapi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sppcomapi.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 703e169d00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 7088519f00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000a0000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = b023799c00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 10857b9c00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 10950da000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c7000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 50eec29c00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 10d2009d00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000096000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000a1000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000b5000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000029000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 5072b2b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 90709bd400a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 70acd49d00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000090000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 708ba6b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000076000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = f0059db000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000059000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 30a998c200a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000009f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 70e67d9c00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 90a49ab000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000083000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = b0c8a1b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c2000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 105192e600a8da01	sppcomapi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\6a-4f-8d-4b-10-6b	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000b6000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 10f6a4d400a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 10950da000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000b0000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000009b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000041000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 102aa4b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c4000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000058000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c3000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000064000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = 900a9bc200a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = f01bb89d00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 50cd9fc200a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 708093b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = d0e195b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = d0eca8b000a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000094000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000023000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000ce000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000091000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = d03fb79a00a8da01	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = 70c5449c00a8da01	sppcomapi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadNetworkName = "Network 3"	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000ad000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000040000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	sppcomapi.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\runas	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\runas\command\IsolatedCommand = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell	ntinit32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\Software\Classes\wups\shell\runas\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\Software\Classes\wups	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\OEMExt\\ntinit32.exe\" /START \"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\ = "Application"	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\runas\command\ = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\OEMExt\\ntinit32.exe\" /START \"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\runas\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open\command\IsolatedCommand = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\runas\command	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\runas	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\wups\DefaultIcon	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\open	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\shell\open\command\ = "\"C:\\ProgramData\\OEMExt\\ntinit32.exe\" /START \"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wups	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\OEMExt\\ntinit32.exe\" /START \"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\DefaultIcon	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\DefaultIcon\ = "%1"	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\ = "Application"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\wups\shell\open\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\DefaultIcon\ = "%1"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\Content-Type = "application/x-msdownload"	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wups\Content-Type = "application/x-msdownload"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\runas\command\ = "\"%1\" %*"	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "stat32"	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\open\command	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell	ntinit32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "wups"	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas	ntinit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntinit32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon\ = "%1"	ntinit32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
2640	ntinit32.exe
2536	ntinit32.exe
2436	ntinit32.exe
2872	ntinit32.exe
2156	ntinit32.exe
304	sppcomapi.exe
2872	ntinit32.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe
304	sppcomapi.exe
2536	ntinit32.exe
2872	ntinit32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Token: SeIncBasePriorityPrivilege	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
Token: SeIncBasePriorityPrivilege	2536	ntinit32.exe
Token: SeIncBasePriorityPrivilege	2640	ntinit32.exe
Token: SeIncBasePriorityPrivilege	2156	ntinit32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2872	ntinit32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2640	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	28
PID 2676 wrote to memory of 2640	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	28
PID 2676 wrote to memory of 2640	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	28
PID 2676 wrote to memory of 2640	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	28
PID 2676 wrote to memory of 2536	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	29
PID 2676 wrote to memory of 2536	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	29
PID 2676 wrote to memory of 2536	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	29
PID 2676 wrote to memory of 2536	2676	a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe	29
PID 2536 wrote to memory of 2436	2536	ntinit32.exe	30
PID 2536 wrote to memory of 2436	2536	ntinit32.exe	30
PID 2536 wrote to memory of 2436	2536	ntinit32.exe	30
PID 2536 wrote to memory of 2436	2536	ntinit32.exe	30
PID 2640 wrote to memory of 2872	2640	ntinit32.exe	31
PID 2640 wrote to memory of 2872	2640	ntinit32.exe	31
PID 2640 wrote to memory of 2872	2640	ntinit32.exe	31
PID 2640 wrote to memory of 2872	2640	ntinit32.exe	31
PID 2156 wrote to memory of 304	2156	ntinit32.exe	33
PID 2156 wrote to memory of 304	2156	ntinit32.exe	33
PID 2156 wrote to memory of 304	2156	ntinit32.exe	33
PID 2156 wrote to memory of 304	2156	ntinit32.exe	33

C:\Users\Admin\AppData\Local\Temp\a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe
"C:\Users\Admin\AppData\Local\Temp\a40aaea79b5481b460c3cd1e28397012559a1102f5ec71c2b114b8108196064b.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\ProgramData\OEMExt\ntinit32.exe
  "C:\ProgramData\OEMExt\ntinit32.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\OEMExt\ntinit32.exe
    "C:\Users\Admin\AppData\Roaming\OEMExt\ntinit32.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2872
- C:\ProgramData\OEMExt\ntinit32.exe
  "C:\ProgramData\OEMExt\ntinit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\ProgramData\OEMExt\ntinit32.exe
    "C:\ProgramData\OEMExt\ntinit32.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2436

C:\ProgramData\OEMExt\ntinit32.exe
C:\ProgramData\OEMExt\ntinit32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\ProgramData\Ole320\sppcomapi.exe
  "C:\ProgramData\Ole320\sppcomapi.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\UIFY6LXE.txt

Filesize
15B

MD5
0a1c66dd2c6aa58d45c637c9025efd9f

SHA1
fdaeb1cc552b3f270e93db11f114fb447712eb6e

SHA256
a8fc4e1d6c05e8dc4203faf0fd70fd9b7ccccdd541926a69f26374cc275b334f

SHA512
5f040358ac4170aa64a96fe3b9083ab7ae8cb46040a4804e9c5a301d00ebab069db69bcb8e540e01ccf6bd9b9ab5f1f1bf87eef28a69b2c4f9f720df762ea8ad

Download Submit
C:\Users\Admin\AppData\Roaming\OEMExt\ntinit32.exe

Filesize
170KB

MD5
19882fecfe01847f43608e18f7fffb04

SHA1
d3415d42e20b7c2e3e7aca2915b7863e16e14499

SHA256
ad84c06ca23c411338856f6f75d5f0f6936a3b67ac2f4b58f29fd902809b4543

SHA512
7e9a1be113f915febc97769aadfac037d2895cd512d6c7e75a59df938ac0160deb3cdf8f61188146be7e324b0ab4041e612f7dd5631308ad8e4f3907d5ee0e13

Download Submit
\ProgramData\OEMExt\ntinit32.exe

Filesize
170KB

MD5
a978185d930138129a6a16488956af45

SHA1
faf6047dcf1a8cbc1f9a0c5f878d43f6366af03d

SHA256
d0c490f3dddf8009501fab734f484f2fcb9866462cacee4300c5566afc7f1dc7

SHA512
fe783196ebff00dff9358f3eb2b498230dbcd3b08824b9dde2ac59bc34eadfc1da9dbb32eb895991117bc1206f6c9010b1c9dd31cccc362d0aae65b04ad677c6

Download Submit
\ProgramData\Ole320\sppcomapi.exe

Filesize
170KB

MD5
4d726078be2f7125cda23a626b86cf35

SHA1
8aa4185eb60f49867ca0c30033d7ea62537c5405

SHA256
5cfec2359894fe38d1cb2bd0c8c72fdc769a17fa78510244c79b4090769fb743

SHA512
86e0199e50c709e389cf223b8a6ccede308efc1a65c7cee0bd2484908c83a19d9c6de9e805cc6181104ebd482296d8132418f206d98ee2e08cc28535456c1906

Download Submit